Morning, everybody. It's great to see a pretty packed room this early in the morning with breakfast going on. Appreciate everybody showing up, and hope everybody has a great two days of meetings now that our public companies are, are, are going. My name's Mike Walkley. I'm the Security and Communication Software Analyst with Canaccord Genuity, and you know, real excited to have the management team of Qualys with us today. Sitting to my right is Sumedh Thakar, the President and CEO, and next to him is Joo Mi Kim, the CFO of Qualys. The format, we're just gonna do a, a fireside chat, question and answer. We're gonna leave time at the end for the audience, so if anybody has questions, just raise your hand and you know, I'll repeat it so the webcast can hear it.
Just to start off, maybe you could just provide us with some color on the macro trends and how it's impacting your business since, it's been kind of a up and down year with a lot of quarterly reports from companies.
Yeah, thank you for having us. I think, I would say that the macro generally has stayed the same from what we have started to see around Q4, I mean, a little bit here or there, generally. Customers are engaging in a lot of conversations. They are looking more how they want to rearchitect their stacks, more longer term. From the conversations that we are having, they see this as an opportunity to consolidate more on platform-type solutions, rather than continuing to get more and more one-off solutions. It also means that it's taking them longer to think through on when to start these projects, how to kick off, how to fund, some of these things.
Additional scrutiny on budget spend, definitely is continuing, which is a trend we see in IT as well, and then security as well. Overall, I would say that the environment has remained the same, what we have seen. There is elongated cycles, there is a pressure on the budget and additional scrutiny, but it also is an opportunity for platform players like Qualys to really be able to showcase the capabilities that they can bring, which is in terms of, you know, sort of longer term cost savings and, and better and faster security.
Yeah, great. I want to get into the platform a little bit, but just building on the macro, you know, a lot of software security companies, you know, have called out the financial sector as an area of, of weakness, especially after Silicon Valley Bank. I know Qualys has a pretty good concentration within that area, but you seem to navigate that better. Maybe you can share with us how you've been able to navigate the, the financial sector maybe better than some of your competitors.
Yeah, I saw some of the competitors had, you know, that exposure. We didn't see that at Qualys. I think, you know, we are-- we have a exposure to the financial segment more at the higher enterprise level, which, you know, generally seems like the bigger financial institutions, at least from what we see right now, a lot more stable, and so we don't really see... We didn't see that, and so we continue to monitor. At this point, we haven't really seen that kind of impact on, from the banking situation.
Okay, great. Just switching gears, you know, according to your 2023 TruRisk report, it seems like not only are the volume of vulnerabilities increasing given digital transformation, but also the amount of time for bad actors to exploit these vulnerabilities is declining. Which we anticipate would only continue over time, given the weaponization of AI. Given the success of VMDR and your newer solutions, such as Patch Management and CyberSecurity Asset Management, how is Qualys suited to help customers address the key points around risk mitigation?
Yeah, I, I think the report is very interesting because... not a surprise in a way, because almost every single company out there and every single government has become a software developer now. Everybody is, is leveraging digital transformation. Your interaction with your, with your vendors, everything is digital, even for consumers, as they talk to their governments, everybody's developing more software. You know, having been a software developer myself in the past, there's a, you know, the more lines of code you write, the more vulnerabilities you will have in that code. So it's not a surprise that we're seeing more vulnerabilities. As everything moves digital, the attackers are financially, essentially, incentivized to go after the digital assets more, and so the attacks are coming sooner. They are putting more resources on their side to weaponize these vulnerabilities sooner.
From a consumer standpoint and from the CISO standpoint, it's really about how do they see more vulnerabilities and weaponization happening faster and more assets? That's the other thing, that everybody's just deploying more digital assets, so the threat environment continues to get complicated for them. When they are looking at how do I protect my environment, it is not anymore about how many vulnerabilities you have, how many can we detect those in the third-party software as well as the first-party software. It's really about which of those issues actually cause a risk to the to your environment, and then how can you fix those as fast as possible? From a CISO perspective, essentially, we look at three things, right? One is inventory. Do I know what I have?
Second is, am I able to find and discover all the vulnerabilities and then prioritize the ones that are most important, actually cause risk? Then third is, how quickly can I actually fix those? So with the innovation that we have done on the platform with VMDR, with CyberSecurity Asset Management, and then Patch Management, all integrated end-to-end, we talk about platforms, right? That's really the platform story, is you can go from finding your asset, finding your vulnerability, prioritizing it, and fixing it all in one interface, all in one platform. That's really what our customers are excited about, is the opportunity to transform the way that they have been doing things with four different teams to achieve the same goal, can now be done with a single agent, single solution.
That's really where, by, by having it together, we're able to give customers the ability to automatically patch their most critical vulnerabilities without wasting time. So their exposure windows to latest threats can now be down to a few hours rather than a few days or weeks that we have seen in the past.
Okay, so, so building on that answer and jumping into the, to your platform, you know, we have a buy rating on Qualys, you know, amazing profitability, one of the most profitable software companies out there. If you look at the competitive landscape, you've got private companies that are struggling in this environment to raise money. You know, you, you mentioned a platform approach, and there's studies out there, like from Gartner, who said two years ago, only 20% of companies were looking at a platform approach, and now it's 75%.
Yes.
As you look at, maybe for both of you, you've got strong cash flow, great balance sheet. A lot of your competitors have to pay off converts that aren't gonna convert now. As you look at your platform, you've got a great R&D team that you invest in. Is it more gonna be investing to grow your platform, or do you think there's some M&A that might make sense, just given the competitive advantages of, of your balance sheet?
Yeah, I mean, I would say that we're glad to be in a position that we are from profitability perspective. It's been the, the strategy of the company for many years. I would also say that the trend around customers wanting to consolidate in the platform is something we saw years ago, and so that's why almost a decade ago, we started our R&D efforts and, and set out our innovation center in India to be able to have the ability for us to scale quickly and be able to develop all these solutions that we today have. We've focused a lot on organically developing things on the platform because the customers really want a well-integrated end-to-end solution, not just one vendor that is essentially giving them 10 different solutions that they have to deploy, like they're 10 different solutions.
It's the same at the end of the day from their perspective, if they have to go through that process. So we really focus, very laser-focused on making sure that the end-to-end experience of the customer is very important. How does that manifest in a real customer scenario is what we talked about at the earnings call last week, which is, you know, a customer was seeing malicious activity in their environment. They already had VMDR agents from Qualys on their assets, and they called us, said, "Hey, we're seeing some malicious activity. We need to patch things quickly before the attackers get to more devices." We were able to flip on Patch Management on those assets and actually finish all the patching for those in that first 24 hours. Why? Because it was so well integrated.
If it was a different solution, different console, it would be difficult for them. We always continue to say our, our leading focus is a really, truly well-integrated platform solution. How do we get there? We do a lot of organic development, but we've also done tuck-in acquisitions, like Blue Hexagon, TotalCloud, that bring additional capabilities to our platform. We also look at OEM integrations where it makes sense. With the balance sheet that we have, it's a constant conversation for us to say, how do we leverage our position to be able to do meaningful M&A and where it makes sense, with the first focus on making sure it can be integrated very well with the platform.
Then, you know, looking at whether it's a smaller or a larger acquisition, that's something that we always continue to do. You know, I don't know how the conference went yesterday, but I still feel there is a little gap from true valuations. Resetting is, is still probably a few months away in our conversations with some of these companies. They still are at a, at a different place than public companies are in the valuation, so.
Yeah, we're hearing that too, but it sounds like that gap is closing. Just going back to the platform and the development with your strong development team, AI is the topic du jour. Can you talk about how you're using artificial intelligence in your platform today, and maybe any hints you can give us about how it might drive future development of products for you?
Yeah. AI has... I think it's a great technological innovation that has lots of potential. You know, having been at Qualys for the last 20 years, there's always been this series of meaning, you know, innovations that actually have contributed to the platform. So the way we look at this innovation is, is another opportunity to improve. And I think we'll have to see how transformational it's going to be once we integrate more of these things. I would say that from a Qualys standpoint, we've acquired Blue Hexagon well before this whole ChatGPT, you know, sort of thing exploded onto the in the regular conversations. We. Look, I think from an AI perspective, there's two key things, right?
One is the, the models and then, a large data set to be able to train those models, that, and make sure that they are getting more and more accurate. That's, one of the things that Qualys has really, been doing because we've been a SaaS platform for the last 20 years, is we have a huge dataset, trillions of data points that we index in Elasticsearch from customers, who have millions and millions of assets with us. So, with the Blue Hexagon acquisition, bringing on their technology specifically for the ML/AI learning, starting with the cloud, and, we just talked about that, a couple of days ago when we posted our blog on how we are using the technology.
Also the ability for us to then provide the findings out of that in not just the cloud environment, but in the non-cloud environment. That ultimately the question is going to be from any security tool and all... the entire security program, the CISOs are looking for two things, really, if you narrow it down, which is: Can I anticipate which of my assets are at the highest risk? Can I fix those quickly? You know, the thing about that is then if something is compromised, can I look at that? With what we look at the platform is with generative AI, how can we provide ways for the customers to look through this entire dataset and start to boil the assets up, which are the ones that cause the most risk?
I think, it's, it's gonna be a good, you know, addition to, the platform, but I don't see that that is the only thing that is going to change everything. I think we're gonna continue to have to, keep an eye on all kinds of different technology, and I think we've also forget that the AI technology has to have a bunch of other technology underneath that is an enabler, right? If you-
Yeah.
If you don't have the dataset in Elasticsearch and all of that already ready, you really can't use AI from that perspective. We're excited, and we, we saw this coming, you know, well before the ChatGPT thing came up. We're, we're quite excited to see later this year. We'll have a few more interesting things that we are going to showcase.
Yeah, I mean, it just seems like with the data that you already collect from all your customers, you're, you need the data, and you guys-
Yeah, absolutely.
certainly have a huge dataset to work with.
Yeah.
That seems like another advantage.
Yeah.
May I'll jump, Joo Mi, get a question for you here. Already 52% of your existing customers have adopted VMDR, and it seems like you're leading now more and more with VMDR. We expect that to continue to grow, but maybe at a slower pace, just 'cause you've already crossed that 50% threshold. Can you talk about the uplift from some of your newer solutions, like Patch Management and CyberSecurity Asset Management?
Yeah. Like Sumedh said, one of the benefits of our cloud platform is the fact that we have multiple different solutions that could potentially provide that huge uplift that we're talking about. If you're paying $1 for VMDR, for example, you could potentially be paying another $1 for Patch Management, another $0.50 for CSAM. We have other products that have yet to really take off, like EDR, which could be more expensive than VMDR, so we're excited about the opportunity.
Can you just build on, remind investors in the room from the last earnings call, kind of how those two new solutions are already, you know, in the mix, and how it's gaining traction? I think it was-
Yeah.
How much you share the numbers?
Yeah.
you know better than me.
Yeah. One of the metrics that we started to share this year is basically Patch Management and CSAM together, make up 10% of LTM bookings as of Q2, and they actually make up 19% of LTM new bookings, which is really a testament to the fact that the customers and the market is starting to view us as a security solutions platform, right? Because what we've said so far is that increasingly, the market is looking for a consolidator. For, for a long time, Qualys has been viewed as a VM solutions provider only, I think that's kind of starting to shift.
Because what we're seeing is not only with existing customers, but with new prospects when they're looking at Qualys, one of the reasons of why they decide to go with us is the fact that we offer additional solutions like Patch Management and CSAM.
Great. Maybe just jumping into VMDR, you know, you have some newly released packages going after the SMB market. Can you talk about, I know that's one of the more challenged markets, cross-spending, but can you talk about the kind of that go-to-market strategy and how that might be driving new customer growth?
So in security, you have the larger customers that have large teams and multiple, different, resources, and then you have the SME, SMB customer, where it's the same IT guy is, is, or the gal is the one who is having to fix the security aspect as well. So, what, what we see at the lower end of the market is the- since you can achieve that outcome of reducing your risk in a single platform, single agent, single console, that's very interesting for these SMB customers, so they don't have to go and figure out 4 different solutions. But in this environment, they do need to simplify their buying process. They need to see a much better, clear ROI on their investment and something that's much easier to do.
You know, if we go with saying we are a platform play and you have 4 different line items you have to purchase, you know, that, that works maybe for the larger customer. The smaller customer, they don't understand why do I have 4 line items? You know, how do I... What we decided to do was getting feedback from the customers. The value prop is clear. Either you can find the vulnerabilities, just find the vulnerabilities, which is of no use if you don't fix them. Then you need a way to all find and fix them. Then once you find and fix them, you still want to monitor that there's no other attacker on your network, and that's where your EDR comes into play.
We saw the opportunity to create sort of the, the burger, you know, burger fries, and burger fries Coke type of a thing, to say you can get the VMDR package, you can get the VMDR fix-it package, where it's one line item that includes Patch Management and VMDR, or you can get the protected package, which includes VMDR, Patch Management, and EDR. The same agent, same package, one line item can do that. You know, it's, it's early. We just released this a few months ago, and we're, you know, pretty happy with the feedback that we are getting from the customers. It also simplifies the selling process for our sellers, right? In that lower end, the market, our sellers need to get a lot more efficient, where they're not trying to explain five different modules.
It's a platform play, and it should look like a platform to the SME customers as well, so that, you know, they can just show: Here's three options. You know, which one are you interested in? We can start talking about that, other than first selling VMDR, then trying to pitch Patch Management, then trying to pitch CyberSecurity Asset Management, and EDR. I think that's a, it's a good way of, of our GTM there, but early for us to say in this challenge market, how much of an impact and how it is having. Good initial feedback from those who are using it and our sellers as well from a sales enablement perspective. We're looking forward to getting that scale from the that strategy that we put in place.
Great. Just building on the sales team, given your growing platform, you invested in sales and marketing last year, so they're, you know, getting more and more trained and probably getting better. You also just recently hired Dino DiMarino as a chief revenue officer. Can you talk, you mentioned this in earnings call, but maybe to help people here, just talk about the pace of hiring, how was the hiring environment, and maybe why it's a little bit of a slowdown to give the new CRO, you know, a chance to view things.
I think, Joo Mi can talk about, like, our space and stuff, but in general, we, we, what was one of the main things we started doing two years ago was, really when we see the opportunity, we decided to start investing additionally in sales and marketing. We got our sales and marketing spend up, you know, there are things that we, we did that, resulted in good pipeline, we're strong pipeline. We're pretty happy about that. We continue to monitor that. I think on the sales side, we put in place some initiatives, some things that we had to go back and revisit. There's a change in the CRO, and we're bringing, the CRO on board.
Like, we've always been very thoughtful in how we approach additional investments, and so we see the opportunity. We do see that we're going to continue investing in sales marketing, probably not at the same pace as the new CRO comes on board the next couple quarters, really understands where we need to focus on the strategy. We're gonna continue the hiring. We're gonna continue our investment, maybe at a little bit different pace than what we have done in the past. With Dino coming on board and with his previous experience, we're looking forward to really looking at how we execute better on the sales side. How do we leverage the marketing investment that's already generating good pipeline?
How do we make sure that we can, have that impact on the top line as well?
Yeah. Just to add to that, I mean, last year was definitely an investment year for us. You're looking at a sales and marketing headcount growing by 22% versus, like, a single-digit growth a year prior. Coming off of a strong year of investment, and from a dollar basis, it was an increase of 25% on sales and marketing spends. We continue that onto Q1, where sales and marketing continue to increase by 28% year-over-year. What we're looking at is significant investments that we made in the last few quarters, and with Dino on board, there's just going to be a natural delay, right?
As he starts to really understand the, the culture, the team, and the, the planned initiatives that we had for this year, and basically take the time that we need to realign, and make further, maybe new investments that he has and his ideas and support that. I think that some of the investment returns that we've seen is less than what we would have liked to have seen, given the current macro. With that said, we, we see strong pipeline with, coming off from a strong investment from marketing, which is great for us, and as well as a larger sales and marketing team. We'll continue to, like Sumedh said, continue to look to hire and grow the team, but also focus on optimization at this point.
Yeah, just to remind the audience, with, with all this investment, that you still. Was it 48% adjusted or EBITDA margins last quarter? you know, how should investors think about levels of profitability as you invest, you know, what's the trade-off between maybe investment to drive growth and maintaining these, you know, margins that are so much ahead of the competition?
Right. For us, we're in- we're very fortunate because of our profitability. It, it allows us to have some flexibility, especially in this market. We're not holding back on investments where we see an opportunity to get the return that we anticipate seeing in the longer run. With the 48% margin, what we're doing right now is really taking a look at our business, like, for example, R&D spend. You're looking at 16% of revenue. That used to be 18%. That's going to be kind of funding the increase in sales and marketing that we could potentially see going forward.
With that said, what we have said historically is, we don't really see, without a huge change in our business model, where EBITDA margin has to dip below that 40% range for us to support that growth of 20%+ in the longer run. We still believe that, but obviously, with the new CRO, we'll be having that discussion. We have ways to go, given that our margin is currently at 48%.
Yeah. Yeah, that's helpful. Maybe just jumping into the public sector, you introduced a GovCloud. Are you seeing interest from federal government customers, and is the federal government also looking for a platform as much as the enterprise is?
That's a great question, and pretty excited to see, you know, we, we decided to make that investment in FedRAMP High, and so we were pretty pleased early this year to get the FedRAMP High ready JAB approval. With that, what that does is that it makes us as the only platform out there that is doing asset management, vulnerability management, patch management, EDR, all in one as a FedRAMP High solution. That is mapping well with the federal government conversations that we are having, where a lot of these agencies are going through their own digital transformation right now, and so they are looking to modernize their infrastructure.
This is the right time for them to sort of look and say, Well, who's a more modern SaaS FedRAMP certified solution that I should put in my new infrastructure, rather than sort of going back to the more on-prem, separate VM solution, separate patching solution? 2 quarters ago, we highlighted one of the wins there, where a large federal agency decided to ditch a on-prem scanning solution and a separate on-prem patching solution for a single agent that was FedRAMP certified that could do both scanning, patching, and they also have some EDR from us now that they're looking into. The timing for us is pretty exciting in the conversations that we see.
Of course, the federal government, you know, has their own cycles and takes time to develop, but given as that today our revenue from federal is extremely small, and we see the opportunity to invest from a marketing standpoint, to build out this capability, work with the right partners in that space, and grow that over the next few years. It's aligning well from our perspective in the conversation that we see in terms of the government also looking to modernize their infrastructure, and we are the platform that today has that certification that they're really looking for.
That's great. I, I kind of hogged it, but we have, time for a question from the audience, if anybody, anybody has one. I know we're running low on time. Got a good room, but shy, shy early in the morning. I, I'll throw out a last question, maybe just to wrap it up. I like to end my fireside chats, you know, with this: When you're engaging with investors, what do you think's, you know, least understood or the, the biggest confusion when it comes to the Qualys story? And if you think it's pretty well understood, maybe just use this as a last chance just to, you know, why you think investors should look at Qualys now as a good long-term investment opportunity.
We've always been a very customer solution-focused company, and that's why we put our engineering investments, you know, before we got into trying to put more investments in sales and marketing. So, we're always some going to be the solution that is focused on that consolidation trend that we see right now. Just the DNA of the company has always been to get that good organic growth, but with the right profitability, and that's a focus that we're always going to have.
The profitability is something that is extremely positive, not just in this environment, but also leaves us the opportunity that we are looking forward with the new CRO to now look at how we can leverage that profitability to have the right balance to spend more in sales marketing, so that we can really look at the long-term growth that we have. We're pretty fortunate in that sense that we've stayed the course and that while our a lot of other companies in this space are trying to find ways to become profitable now, we are well ahead, and we will continue to leverage that to, you know, to grow the company and bring value to our shareholders. That's, that's pretty exciting for us.
Okay. Well, we're out of time, but Sumedh and Joo Mi, thank you so much for attending our conference. Blair King here with IR, if anybody wants to follow up, and I know you've got a busy set of meetings you guys have got to get to, so, so thanks again for attending.
Thank you, Mike. Thank you for having us.