This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
Operator
Ladies and gentlemen, thank you for standing by, and welcome to the QALYS Fourth Quarter 2020 Investor Conference Call. At this time, all participants are listening on remote. After the speaker's presentation, there will be a question and answer session. To ask a question at that time, please press star then one on your telephone. As a reminder, today's conference call is being recorded. I will now turn the conference over to you, Mr. Vin Rao, Vice President of Corporate Development and Investment Relations. Sir, you may begin.
Vin Rao
Good afternoon, and welcome to QALYS fourth quarter 2020 earnings call. Joining me today to discuss the results are Sumit Thakkar, our interim CEO, and Jumi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with SEC, including our latest Form 10Q and 10K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of gap to non-gap measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentations are available on the investor relations section of our website. With that, I'd like to turn the call over to Sumit.
Sumit Thakkar
Thank you, Ben. Thank you and welcome everyone to our Q4 earnings call. Before we discuss our financial results, I wanted to say a few words about the separate announcement we issued this afternoon. As you have likely seen by now, we disclose that Philippe Coteau is taking a leave of absence due to health issues unrelated to COVID-19. Please join me in wishing Philippe a speedy recovery. In connection to this development, our board of directors has appointed me as the interim chief executive officer. As those of you who have been following Qualys know, I have been with Qualys for nearly 20 years. I was appointed chief product officer in June 2014 to lead the transformation of our platform and appointed president in October 2019. I have been working closely with Philippe for many years and we share the same vision of transforming the way our customers secure and protect their organization's IT infrastructure and applications with best-in-class cloud-based IT security and compliance solutions. I have deep appreciation for the tremendous platform we have built, and I'm honored to serve as Qualys' intern CEO. I look forward to working closely with the board and the rest of the Qualys team to continue building on our strong business momentum and driving the company forward while Philippe is out. Now, for my first task in this role, I will walk you through our earnings result for the fourth quarter and full year 2020. we are pleased to report another quarter of solid revenue growth and profitability. We also saw strong growth of our paid cloud agent subscription, which grew more than 80% over the year to 56 million. Very uniquely, our multi-function agent, lightweight cloud agent, provides visibility across the entire hybrid environment and is the underlying technology for a number of our IT security and compliance solutions that are natively integrated on our platform. As a result, Qualys customers can deploy VMDR, vulnerability management detection and response, multi-vector EDR, endpoint detection and response, policy compliance, file integrity monitoring, batch management, global IT asset inventory, and our upcoming XDR offering through a single agent, which differentiates us in our industry. In addition, we continue to expand our platform's capabilities to take response actions, enabling our customers to respond quickly to security issues in their environment. While the importance of vulnerability management for our customers remains high, for them to be able to mitigate the risk, they also are looking for ways to quickly respond to these risks and threats. As these organizations continue to increase their focus on discovering all the hybrid IT assets, mitigating the risk and detecting and responding to ongoing attacks, Qualys platform through single pane of glass uniquely provides our customers ability to do a complete asset inventory and CMDB synchronization, mitigate the risk of breaches with capabilities like VMDR and patch management, as well as at the same time detect and respond to attacks using our EDR and upcoming XDR solution. With the release of our container runtime production solution and the new SASDR offering, as well as our upcoming cloud response solution, we are now expanding similar capabilities in other infrastructure environments as well, giving customers additional opportunities to consolidate their security tools onto the Qualys Cloud platform. In terms of our newer paid solutions, we continue to see strong growth for our patch management solution. In Q4, a leading pharmaceutical firm selected our patch management application over several competing solutions, given its ability to easily and effectively patch remote endpoints without using the limited bandwidth available on their VPN gateways. They chose Qualys because of our ability to discover asset inventory, vulnerability management, and patch management through a single agent. This quarter, we also saw strong traction for our paid global IT asset discovery and inventory application with a large media conglomerate adopting the application to gain visibility of all their known and unknown assets across multiple environments, identify the end-of-life of their installed software, and synchronize with their ServiceNow CMDB. Finally, we again saw robust growth for our container security application with adoption from a large global IT services company that has already deployed our vulnerability management, patch management, global asset inventory, file integrity monitoring, and EDR solutions, further consolidating the security stack with Qualys. In terms of product innovation, we have continued to make strong progress on our product roadmap. Some key recent accomplishments include delivering a free 60-day integrated vulnerability management detection and response service to our customers to quickly assess devices impacted by SolarWinds Orion vulnerabilities, Sunburst Trojan detection, and stolen FireEye directing tools, and use the patch management capability to immediately fix their exposure with a single click using the same agent. We also enhanced Qualys container security response solution with the addition of deep visibility, runtime defense capabilities, and automated enforcement with delivery of policy runtime security. We recently introduced a brand new extension to our platform called SAS Detection and Response, SASDR, which provides a single console for IT and security teams to gain continuous visibility, security, and compliance of critical SAS applications like OG65, G Suite, Salesforce, as well as Zoom. The solution enables our customers to monitor the posture of their users and applications that have access to critical data in their SaaS environment, helping bridge the gap between on-prem as well as SaaS assets, again, through a single platform. We're also excited that we are expanding Qualys VMDR, Vulnerability Management Detection and Response, to enterprise mobile devices with the addition cloud agent support for Android and iOS devices. As part of their digital transformation, organizations continue to leverage more and more handheld mobile devices to conduct business with access to critical data from these devices. This expansion allows our customers to track vulnerabilities and misconfigurations on these devices and take appropriate response actions. built on top of our product accomplishments from earlier of 2020. Key amongst them are shipping of Qalis multi-vector EDR, which leverages the Qalis Cloud platform and Qalis Cloud agent to detect ongoing threats on endpoints, conduct threat hunting, and take appropriate response actions. It further correlates threats with vulnerabilities, providing unique capabilities for proactive mitigation from additional breaches. We also released a comprehensive inventory sync with ServiceNow, ServiceGraph, and Configuration Management Database, CMDB, as part of the new ServiceGraph connector program, a new designation within their technology partner program. With the strategic launch of VMDR early last year, which is a unique all-in-one cloud-based application that automates the entire vulnerability management lifecycle across on-premise, endpoints, and cloud environment, bringing vulnerability management, threat prioritization, and patching into a single end-to-end workflow with single agent. Looking ahead, we are enthused with the additional solutions that we plan to introduce in 2021. The XDR platform expansion, which seamlessly integrates and correlates data natively collected from all Qualys sensors with additional context from other third-party data sources. This powerful capability will let customers detect threats beyond endpoints. Qualys XDR will also orchestrate the various response actions and help our customers reduce cost and complexity of deploying and managing SIEM and source solutions. This capability is currently in private beta with select design partner customers who have been working with us. We also plan to expand support for patch management for Linux environments, so customers with cloud agents on these environments can also add Qualys patch management to these additional devices. We will continue adding additional capabilities to our multi-vector EDR, such as endpoint protection capability, EPP, as well as expanding EDR support into Linux environments. We are working on a major update to our passive scanning technology that will significantly expand our coverage of industrial control systems, operational technology environments, as well as detection of IoT devices. We showcase these solutions at our very well-attended QSC user conference, which was a 12-day virtual event held in November 2020. Over 5,000 people across our customer base, partners, prospects, analysts, and investors, and the media attended the event and we received very positive feedback. The development of these native solutions at such a rapid pace is possible because of the massive investment we've made in our cloud platform and our strong engineering talent base with over 900 employees now in Pune, India. These new initiatives open significant incremental market opportunity for us. They also allow our customers to easily and cost-effectively consolidate their stack of traditional enterprise security and compliance solutions while providing them with a single pane of glass view of all assets across on-prem, endpoint, cloud, SaaS, and mobile environment. In terms of go-to-market, we are expanding our relationships with existing partners. Our comprehensive platform with detection and response is becoming increasingly strategic for MSSP partners as they can now provide multiple services and easy upsells to their customers instead of focusing large amount of resources on building such a scalable platform themselves, having to integrate multiple other point solutions. Given the increased breadth of our product sweep, and the launch of VMDR and multi-vector ADR, we have now embarked on a few additional go-to-market initiatives that leverage the efficiency and effectiveness of our cloud platform. This is a key element of our profitable growth, driving value for our customers and shareholders. Our go-to-market activities in 2020 included leveraging our cloud platform for lead generation with free services. As an example, we launched our free remote endpoint protection solution to help enterprises secure remote workforces by providing instant security assessment, visibility, and remote patching when it was difficult for them to do this using enterprise solutions over VPN. We expanded our reach into China by establishing a private cloud platform with a partnership with Digital China, the largest value-added provider of integrated IT products solutions and support for enterprises in China. We launched the QALYS UAE cloud platform in Dubai, which further expands QALYS' operations across these continents in that region. We extended our partnerships with Deloitte Advisory, where Deloitte Advisory partnered with QALYS to integrate VMDR and our multi-vector EDR offering into Deloitte Hong Kong's cyber managed vulnerability services. Armor, a global MSSP, embedded Qualys VMDR into Armor Anywhere, an industry-leading cloud security platform. Our partnership with Armor also includes Qualys CloudView solution for compliance and security posture management of public cloud environments. We announced cloud agents' general availability on Google Cloud, providing customers with a one-click workload security visibility directly in Google Cloud. Additionally, we natively integrated our container security solution with Google Cloud Artifact Registry. We expanded vulnerability management integration with Microsoft to also include Microsoft Azure Arc to allow customers to perform vulnerability scanning on servers outside of Azure platform. We partner with Infosys, a global leader in next generation digital services and consulting to integrate Qualys VMDR and multi-vector EDR into its CyberNext platform a managed security service offering. While looking forward to 2021, we plan to meaningfully expand our sales and marketing efforts given our increased number of solutions, including our game-changing VMDR and multi-vector EDR, as well as upcoming XDR offerings. Similar to our efforts on the cloud platform, we are building a marketing platform. We have recently hired a CMO and are expanding our marketing awareness initiatives for the C-levels as well as our lead generation capabilities, leveraging our platform and increasing virtual events. On the sales front, we are expanding our quota-carrying sales headcount, or technical account managers as we call them, and have recruited an EVP of field operations for Americas, a VP of new business for the US, VP of strategic alliances for system integrators, and VP and GM for our SME, SME business. In addition, we are also planning to hire a CRO, Chief Revenue Officer, this year. We will also continue to invest in R&D and operations, as well as other support functions as we continue to scale the organization in anticipation of future growth. We believe these investments will set us up well for long-term and profitable growth. We believe the world after COVID-19 is going to be different. Companies are cloud-based solutions. Increasing adoption of our cloud agent and our passive scanning technology combined with the breadth of our solutions that span across the entire hybrid environment enables us to offer customers greater visibility, accuracy, and scalability. This position qualifies well to enable customers to consolidate their security IT and compliance facts with us, providing risk mitigation and threat detection and response on the same platform while also drastically reducing their overall spend. In conclusion, Qualys continues to clearly move well beyond vulnerability management and increases competitive advantage. We are optimistic that the adoption of our newer solutions, including patch management, multi-vector EDR, container security, and upcoming XDR, which solve meaningful problems for our customers, will provide us the opportunity to increase Booking's growth over the long term. In summary, We believe that we are now well positioned to expand our revenues with existing customers as well as continuing to expand our customer base for the years to come. With that, I will turn the call over to Jumi to discuss our fourth quarter financial results and the full year fiscal 2021 guidance.
Ben
Thanks, Hamed, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period. unless stated otherwise. We're delighted with our increasing cloud agent subscription, which lays the foundation for future revenue growth and industry-leading profitability. Our Q4 financial and operational highlights include revenues for the fourth quarter of 2020 grew 12% to $94.8 million. Looking forward, we expect Q1 2021 calculated current billing growth to be negatively impacted by the timing and amount of prepaid multiyear subscriptions, as well as shorter duration invoicing. Our average deal size decreased 3%. Excluding strategic alliance deals, which normalizes for the impact of channel customers coming off of an OEM relationship, deal size increased 6%. Paid cloud agent subscriptions increased to 56 million over the last 12 months, up from $50 million for the 12 months ended in Q3 2020. And 29% of BM customers up for renewal in the quarter renewed into a BMDR description. Excluding strategic alliance deal, BMDR's adoption was 35%, similar to Q3. Our scalable platform model continues to drive superior margins and generate significant cash flow, Adjusted EBITDA for the fourth quarter of 2020 was 43.4 million, representing a 46% margin versus 44%. Q4 EPS grew 13%, and our free cash flow for the fourth quarter of 2020 increased 27% to 31.9 million, representing a 34% margin. In Q4, We continue to invest the cash we generated from operations back into Qualys, including $5.9 million in capital expenditures for operations, including principal payments under capital lease obligations, and $34.8 million to repurchase $352,000 of our outstanding shares. Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders. In 2020, we released several new products, features, and enhancements. Cloud agent adoption grew over 80% from 31 million cloud agent subscriptions to 56 million. We grew EBITDA by 23% and achieved record EBITDA margins of 47%. We utilized $126.7 million of our cash to repurchase approximately $1.3 million of our outstanding shares. And finally, we grew EPS by 25%. We remain confident in our business model, driven by our foundation of nearly 100% recurring revenue and an expanding suite of applications. Looking to 2021, we are excited about the revenue growth opportunity from our newer solutions, including VMDR, patch management, and multi-vector ADR. We expect full year revenue in 2021 to be in the range of $399 million to $42 million, which represents a growth rate of 10% to 11%. In terms of 2021 profitability, we expect to maintain industry-leading margins, leveraging our highly profitable operational model, while preserving the ability to further invest to drive future revenue growth. We expect full-year non-GAAP EPS in 2021 to be in the range of 2.60 to 2.65. For Q1, we expect revenue to be in the range of 94.8 million to 95.4 million, which represents a growth rate of 10% to 11%. We expect non-GAAP EPS in Q1 to be in the range of $0.58 to $0.70. We expect first quarter of 2021 capital expenditures from operations to be in the range of $6 to $7 million, and full year 2021 to be in the range of $30 to $35 million. As Seema had mentioned, we are very excited by the robust adoption of VMDR and the launch of our multi-vector EDR solution and remain optimistic about the company's future. We feel very confident during this period of uncertainty due to the value provided by our cloud platform as well as our underlying highly scalable and profitable operational model. With that, Sumedh and I are happy to answer any of your questions.
Operator
Thank you. Again, ladies and gentlemen, if you'd like to ask a question, please press star then one on your touchtone telephone. One moment for the first question. Our first question comes from Daniel Ives of Webless. Your line is open.
Qualys
I think as well with sleep and... You know, in some regards. Look, just back to the business. Can you just talk about, in terms of this environment that we're seeing across the board, in terms of increased cybersecurity spend, larger deals, you know, both enterprise and federal, just talk about where you guys are positioned there. I mean, is that something that you're seeing in terms of giving you increased confidence for the year? Thanks.
Sumit Thakkar
Yeah, I think what we're seeing right now is that a lot of our customers, especially if you see some of the recent attacks, they are really looking at solutions that are going to help them detect the issues quicker, faster, and take response actions so that they can mitigate this. Because otherwise, with the plethora of point solutions that are out there, it takes a long time for them to be able to find the breaches that are going on or the misconfigurations that lead to these breaches and today we feel like with the platform which focuses on both aspects of security which is the risk mitigation as well as the threat detection and response capabilities, we feel like our platform is well positioned for that and in our conversations with our customers and when as I mentioned a couple of examples where customers are adding capabilities of patch management to those agents that already have EMDR as an example or looking to add EDRs so that they can consolidate that agent and get to the point of getting the information across these different solutions quickly. They see the value in what we are doing and Obviously, as they look to ingest the Qualys platform and integrate that into their current environment, this is something that we work with them. Some of it is part of the free services that we offer so they can see the value of the platform and what it brings to them. So we feel that the customers will be looking at a solution like Qualys essentially to consolidate their solutions, not just from a perspective of spend, but also just being able to get to the issues for security quicker and faster rather than spending large amount of dollars on putting together these point solutions through SIM, et cetera, and then having a lot of analysts having to read through those to find the issues that they have.
Qualys
Great. Thank you.
Operator
Thank you. Our next question comes from Yun Kim of Lease Capital Market. Your line is open.
Yun Kim
Thank you. Again, sorry to hear about Phillip and hope for a quick recovery. Julie, quick question on the guide. It looks like based on your Q1 guidance and guidance for the year, you are expecting a somewhat consistent year-over-year growth throughout the year, 10% to 11%. But shouldn't we expect to see VMDR adoption start being a tailwind to revenue growth, at least starting the second half of the year? Just trying to better understand if there are other dynamics to revenue growth that we're not thinking about.
Ben
Yeah, so... It's true that with the newer solutions, we're very optimistic about VMDR, patch management, even multi-vector EDR, which is newer. However, the adoption of newer products and when it's going to translate into revenue is a bit uncertain. Historically, what we've guided to with setting the annual revenue guidance, really we look at our current bookings and pipeline to inform our guidance. Because of that, this is the visibility that we have right now. In Q1, the guidance that we have is basically what we expect to achieve based on the opportunity that we see ahead. And then for the latter half of the second half of the year, it's a little bit too early to tell, but we thought that it was prudent to guide to the 10% to 11% growth for the full year.
Sumit Thakkar
And if I can add to that, you know, VMDR is definitely something that we – see customers really asking for it, and we see that it takes them sometimes based on their environment to deploy VMDR, but once they have that, which drives the adoption of the agents, We are seeing, as I gave that example, and also earlier in the year we saw some customers are able to move very quickly to add additional services within a couple weeks. In other cases, customers do take time to integrate that into their security portfolio before they can then move on to additional capabilities that VMDR forms the base for.
Yun Kim
Okay, great. And Sumit, first congrats on the CEO appointment. Clearly the VMDR adoption is going well. You have the big SDR launch coming up. At least from the product perspective, you guys have definitely become a full platform provider now. So the next step is your go-to-market and, you know, obviously the Salesforce ramp. In your previous remarks, there's a lot of hiring planned, but can you give us some insight into how aggressive you are planning to add the sales capacity this year? And also, any updates in regards to your go-to-market you know, plans in the hyperscale cloud environment, such as you and GCP. And is that, are those channels, the hyperscale cloud environments, that channel largely driven by new customer ads? Thanks.
Sumit Thakkar
Yeah, so I think, you know, first to address on the sales motion, I think As you saw, we've already started on the hiring. As I mentioned, we hired an EVP for field operations in the U.S., an EVP for new business in the U.S., an EVP and GM for SME, SMB business. And then, as I mentioned, we'll also be hiring a chief revenue officer this year. And there's many other things that we're doing, so it's not just hiring of the salespeople. Of course, we trying to increase the count of our quota-carrying sales folks. But in addition, we've also really bolstered our marketing platform, hiring a CMO. We also hired a few heads of product, VP of product for cloud and VMDR and a few of these other areas really to help package better the platform, work with our sales team for better sales enablement. And so a combination of all of those things is what we are optimistic about will drive the expansion in the revenue. And I think that's really the strategy there in terms of just how we are going to proceed in the future. As far as the GCP and the Azure environment goes, I think a lot of it is about built-in capability. And this is where our platform really quickly allows these customers who are moving into the cloud environment to be able to leverage not just vulnerability management, but patching, you know, in some cases, the cloud environments hosting critical data like FedRAMP. They need file integrity monitoring. They need EDR. So we are well positioned to provide those once they get the agent. So what we have focused with Google and Azure and everyone is the back-end integration of getting our agent integrated, and you saw a couple of those announcements that happened in 2020, is to get that back-end integrated into their platform. So then the customers who could be, and we see a mix sometimes, it's like new customers who are looking to quickly build a solution, they leverage the built-in capability. In other cases, existing customers, take a hybrid approach where they leverage Qualys platform for certain capabilities. They have the built-in integration in Azure so that they can provide their end users quick visibility into what they need to fix, whereas the security team is then able to look at the visibility of the overall security portfolio within the Qualys console. So we feel that as more organizations are moving into more real cloud-native re-architecture of their solution. I think we provide a pretty robust integration and also the opportunity to add more capabilities quickly because then that agent is seamlessly dropped onto those virtual devices running in those environments.
Yun Kim
Great. Thank you so much for that detailed answer. And congrats on the appointment again, Sumit. Thank you.
Operator
Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. The line is open.
Matt Hedberg
Great. Thanks for taking my questions. And our thoughts go out to Philippe as well. You know, you guys, you know, when sunbursts and silver winds hit, you know, you guys had a lot of really helpful press releases out, you know, sort of talking about the benefits of the Qualys platform. You know, obviously it didn't impact your Q4 revenue, but I'm curious if you could talk about, you know, has it aided pipeline generation? And I would assume you're probably not including it in your guidance, but maybe just talk about, you know, if that's helping kind of the go-to-market pipeline initiatives.
Sumit Thakkar
Well, it's a two-pronged approach. One is obviously we put out these services just like we did with the free endpoint security solution. We put these services out first and foremost to help our existing customers get a handle of their environment, maybe able to use modules that they don't have from Qualys right now, haven't purchased, but then be able to use that to mitigate the risk. So when we did that 60-day free service around Solargate, we What was really unique is that not just were we providing the detection of these vulnerabilities that were part of the FireEye stolen tools, you know, which we, as we publish, was like in millions that are out there. We also provided the ability for these customers to leverage the Qualys patch management capability for free to immediately patch those vulnerabilities, right? So that's the big difference, that it's not just we're saying, hey, here, run a scan and you see the findings. Where we focus on is, if you already have Qualys agent and you're not using patch management here, we turn it on and within a few hours you're able to patch these hosts for these vulnerabilities and you can see the ease of use of that platform. And while obviously that generates additional lead and things like that, the goal there really for us is to establish that, let's call it like a proof of concept or a credibility with our customers, help them see the ease at which that they can leverage the additional capabilities from Qualys once they already have VMDR or if they can quickly move to VMDR and they can grow from there. And once that is established, at the end of the day, that doesn't necessarily mean that the customer is immediately going to purchase that solution. But what it does is that it creates the foundation for them to understand that they have a solution already in place that they can move quickly whenever their maybe existing solution is coming up for renewal or replacement. And so we look at it more as just creating that opportunity to showcase to them the capabilities of the platform. And as you know, we don't really push our customers to, you know, being a subscription service to buy, buy, buy immediately. We really work with them on their schedule and their comfort. But the key there for the free services, which is a key part of our go-to-market, is just being able to have that ability to showcase to them, hey, you know, if you already have an agent within a couple hours, you can see the ADR events for that on these critical systems.
Matt Hedberg
That's helpful. And then, you know, I just wanted to ask or kind of dig into kind of core VM growth. You know, obviously you're seeing a lot of growth. You talked about cloud agent subscription growth of 80%, and, you know, there's a lot of new products that are launching. But I guess my question is, you know, with a 10% to 11% guide this year, I mean, I kind of think of that as kind of like the VM growth rate. You know, is there something that's suppressing VM a bit? I mean, is it a COVID headwind? Just trying to get a better understanding of how you're thinking about sort of like core growth. Obviously, you've got growth outside of that that's aiding, but just kind of core VM would be helpful.
Sumit Thakkar
Well, I mean, Core VM, really, we changed the game for VM last year, right, with VMDR. And so where VM was really in the past just about, can you throw me a list of CVEs, has really been transformed by Qualys VMDR into a single capability which includes the prioritization and the ability to fix those issues as well. And that's why you see the excitement in our customers to move to a vulnerability management solution that does all of those together in a single agent, as an example. But obviously, when they look at that and they want to move to that, they may have an existing batch management solution, a batch management team that is different from the security team. So there is a process that they go through to work through with their teams internally figure out the right way where maybe in some cases they may start smaller for batch management in certain areas. In cases we see batch management is driving the VMDR. Sale as well, in some cases the customer takes time to integrate VMDR into their solution. And last year we also saw in some cases we had a customer that was able to move to Qualys patching because they already had VMDR. for 250,000 assets within two weeks. So it's just different for different customers based on where they are in their journey, their environment. So in some cases, as we saw that with COVID, the remote endpoint need for patching drove quicker adoption of patch management. In other cases, teams are taking longer to go through their process of implementing these solutions.
Qualys
Thank you very much.
Operator
Thank you. Our next question comes from Shelby, BFI of FDNC3. Your line is open.
FDNC3
Yes, thank you very much. Can you talk about the potential for the company to reaccelerate growth to the mid-teens? I know you're waiting for the new products to ramp, but when they are ramping, whether it's maybe later this year or early next year, do you think the potential is there to grow in the mid-teens?
Sumit Thakkar
We've really been focusing on, as you saw on the platform, not just the core VM and VMDR, but also you saw some of the new services into additional environments. So what our focus has been is to get that platform to the level where as customers are looking to consolidate maybe in a few months, later this year, early next year, whenever that is, that we have all of the capabilities lined up for them to be able to move into the Qualys platform. And so we are hopeful With all of these changes and that additional golden market initiative that we have put in place, we are hopeful for an acceleration of growth in the next few years.
FDNC3
Okay. And also, your percentage of VM customers up for renewal who renewed with VMDR, I think it didn't really grow that much. It was like 35% adjusted, the same as last quarter. Why do you think it didn't grow? And where do you see that percentage going to by, say, the end of the year?
Sumit Thakkar
So I think we think that 35% is a good percentage of an adoption for our customers, especially when you have customers that are larger. So it really depends in that particular quarter what is the mix of customers that is up for renewal. if those customers who have, for whatever reason, are going to take time to... Because as you see with VMDR, it's not just the vulnerability management feed. It comes with additional capabilities like asset inventory and patch detection and prioritization. So the customers need to also be able to ingest that capability into their current security program. And so that may need some resource on their side to line up maybe developers to get API calls, etc., So it just depends in that quarter what mix of customers comes up and what they are ready to do. As you know, we don't really push, push, push on them to do it because it's a subscription-based business. But what we do expect, obviously, is that we already had these people converted, so as the next quarters come around, the conversions will build on top of the existing conversions that we've already done, right? So obviously we see that to the next few quarters, we will see more and more of our customer base getting converted to VMDR.
FDNC3
Thank you.
Operator
Thank you. Our next question comes from Eric Cepeda of JMT Cities. The line is open.
Eric Cepeda
Question. And again, I, I, And our best wishes for a speedy recovery for Philippe. The hiring, it sounds like you're going to step up hiring in sales, but my impression was that you've been hiring as quickly as you could in sales in the past. What are you going to do to accelerate your hiring efforts there?
Sumit Thakkar
Yeah, so I think we've, as you saw already in the last couple of quarters with the list of the key hires that we have done, we have already started on that journey to accelerate the hiring and the sales and marketing, right? So we have some key folks hired not just on the sales side, but also, as I mentioned, on the VP of product side who are going to help the sales enablement as well as bringing in the CMO and bringing in... additional headcount on the quota-carrying salespeople. But part of that, as I mentioned, we are also going to be hiring a chief revenue officer who will come in and have a focused approach towards accelerating our revenue and what are the various things that we can do in addition to these hires that we have done to do a better approach to our customers, positioning our platform, positioning our portfolio. and having them look at Qualys as an option to their existing security solutions. So that's really the direction that we are going, and we've already started on that journey today.
Eric Cepeda
And then how are you looking at operating margin in terms of longer-term targets? Are you going to be – right now you're in the upper 30s – Where do you think that your longer-term target will fall if you're going to be stepping up some of your investments?
Ben
Yeah, so, I mean, this year we set a record EBITDA margin of 47%. The way we think about it is we really have the industry-leading margins, and where we're focused right now is better balancing growth with profitability. We don't see a scenario where we wouldn't have the industry-leading margins regardless. So what we've said before was, Even with an increase in investment that Sumed just talked about in sales and marketing, R&D, as well as customer support and operations and G&A, we think that our EBITDA margin at the end of the day will be above 40% range. And that with an acceleration in revenue, which will come in turn following the investment, I think that we will still have a really great profile and are very optimistic because especially with the traction that we've been able to make With hiring the sales leadership as well as marketing leadership, we do think that the acceleration will be happening on the hiring front as well because we have the leaders in place.
Eric Cepeda
Okay. And you said it will be around 40% or above 40%, did you say?
Ben
Yeah, it will be above 40%. Okay.
Eric Cepeda
Very good. Thank you.
Operator
Thank you. Our next question comes from Sterling Adia. Thank you.
Sumed
This is Matt for Sterling. Thanks for taking the question. You mentioned a few metrics excluding a channel partner that churned off your OEM solution. I was wondering if you could elaborate a bit more on that and if there was any impact to the quarter in terms of revenue and how is that affecting your guidance for the next six weeks? Thanks.
Ben
Yeah, it's not a churn. It's actually just normalizing for channel customers who are coming direct off of an OEM relationship. So for example, under our strategic alliance deal, we had one partner where it was an OEM relationship. That partner had multiple different customers at the end point, and they decided to come direct. And so obviously, that did impact the number of renewal deals up for renewal in Q4. And so normalizing for that noise, it ended up being about 35% of VM customers who were up for renewal in the quarter renewed into VMDR. And, you know, if you take a look at it on the dollar impact as well, it's trending nicely, so it wasn't a negative impact at all.
Sumed
Great. That's very helpful for clearing that up. Just a follow-up question. There's a big jump in long-term deferred this quarter. We're just trying to, you know, see if you could provide any additional color on that impact and should we kind of expect a higher level of long-term deferred? as an overall part of the mix? Thanks.
Ben
Yeah, so that's really driven by customer. So what we've seen is with BMDR, we've seen that average contract length has been trending up, and that's actually demonstrated by the RPO. This goes in our 10Q and then 10K. It's been going up, and I think that's a testament to how our customers really see the value in our product. They're not afraid to sign up for more than a year, and so that really drove the increase in long-term deferred. But it's not something that we push on customers. Like Sumed said, it's really up to the customer. And so if they're willing to sign up for more than a year, it's great because they lock it in, lock the price in. It's better for them, and that's reflected in our financials.
Sumed
Great. Thanks, guys.
Operator
Thank you. Our next question comes from of Northland Capital.
spk13
Yeah, thank you. So I just want to double-click on the 1Q21 guidance in the context of your short-term billings growth of 12% and 10% for the full year. Or maybe it was the other way around. Anyhow, it seems like good billings good billings on a short-term billings basis and excluding the strategic relationship that you talked about, which is not affecting anything at all in reality. It just seems like I want to understand why are you guiding to a deceleration in revenue growth given the robust short-term billings that you saw in the most recent quarter?
Ben
Yeah, so current billings tend to fluctuate. So if you take a look at, you know, because we're subscription-based, our revenue gets amortized over 12 months, so our current billing impact from earlier in 2020 is actually taking place and having an impact in Q1 revenue as well. So, for example, our current billings grew by 7% in Q2, 7%. picked up to 8% in Q3, and then Q4 was strong in terms of 12%, but there are puts and takes, right? There are natural fluctuations, and if you just take a look at the revenue amortization schedule, it ends up being that, you know, based on total revenue, which approximately 85% is already booked based on the prior ASV, right? And so this is the visibility that we have right now, ending the quarter or estimating the quarter will end at about 10%. And then the other factor that I want to highlight is typically Q1 is lighter just because of the number of days that gets impacted. So this quarter, especially in terms of the year over year, we are losing a day, and then the quarter over quarter, we are losing two days. And so that actually impacts the revenue guidance as well.
spk13
I see. That's helpful. And then slide 15 is a recurring slide that you guys have, but the data from there does look good. It does attest to increasing spend due to the platform approach. Is it possible that you're seeing elevated customer churn in the SME segment that that particular slide does not necessarily capture?
Ben
But honestly, we've seen very strong retention, strong growth. I think that what's really been impacted from COVID is new and potentially upsell. But in terms of our retention rate, nothing significant has changed, and we haven't seen a downward trend in both enterprise revenue.
spk13
Okay. Thank you.
Operator
Thank you. Our next question comes from Hamza Fadrella of Morgan Stanley. Your line is open.
spk11
Guys, thank you for taking my question, and I'd also like to extend my best wishes to Philippe on speedy recovery. Smith, my first question for you is kind of a follow-up to the SolarWinds question. I want to drill into IT asset discovery specifically, right, because that's one area I think we've heard a lot about coming out of the supply chain attack, really trying to figure out kind of what assets are exposed Can you talk a little bit about the prioritization of that service specifically? I know you're not going to see anything in your pipeline right away. The attack just happened in December, but I'm wondering in terms of your customer conversations and when you speak to customers, both SolarWinds, is that something that comes up a lot?
Sumit Thakkar
Absolutely. This is something that we're hearing a lot from our customers because if you look at a little bit of the mechanics of the attack, there was the supply chain where the software came in, the Trojanize software, but then there was also lateral movement within the environment. There was lateral movement into the SaaS environment, so there was elements of O365 accounts that went back and forth between the the email and the O365 environment as well as the AD that was in-house. And so, you know, the first thing that everybody really stumbled on is to say, well, what do I have in my environment, right? Where do I have the strogenized software, you know, even before I get into knowing whether I have vulnerabilities or issues or not. And that's where that asset inventory and the ability for us to give them the you know, one of the most accurate views of that inventory within that entire environment that includes, you know, assets that are managed and unmanaged. So with a combination of our agents and passive scanner, really that conversation is coming up more and more. and also leading into conversation about, you know, what am I running? Is there end-of-life software that I'm running? What do I need to do about that? Where I find end-of-life software or Trojanized version, what assets is that particular asset speaking to in the environment? So that's where that combination, and this was the point I was trying to make earlier, is that Your first approach is going to be, well, I need to find and I need to find if there is an impact, right? That's where your threat detection and response, which is your EDR, XDR solutions are going to come into play. Then I need to make sure that I'm taking all of the remediation actions to be able to make sure that I'm mitigating my risk by identifying other devices in the environment that may not be properly configured, that can be leveraged for lateral movement, etc., And if you tie in our SaaS release that we just did, which gives you the configuration of your O365, Zoom, Salesforce, et cetera, so now you add this other element that also makes sure that as customers move into hybrid environment, they're able to see a much more holistic picture of the platform. Definitely the starting point for all of that is that global asset inventory and the fact that it is bundled as part of the platform and that they don't have to go and get another solution to deploy for finding their inventory. customers.
spk11
Got it. Thank you. And then just maybe a follow up on go to market. You know, you announced a number of sales leadership appointments, right? You're looking for a CRO currently. I'm wondering who was the de facto head of sales before? I mean, was it, you know, was it Philippe? And also, do you think that this is a function of maybe of adding capacity or do you think that there has to be sort of more changes in the sales organization structure?
Sumit Thakkar
Yeah, I mean, Philippe was a de facto head for sales. However, I was very involved working with Philippe on with the field as well. And I think it's a combination, as we mentioned, right? So there's our model, we are very strong believers in our model of the hunters and the farmers. We're not, you know, changing that to go and push more and more where customers don't need products. However, bringing a CRO, bringing that leadership is going to help us find additional ways to focus on where we can approach customers, which customers can we track for targeting for upsells, etc. So while there obviously there will be some changes in the way that the new CRO or the new leadership that is coming in is looking to find as an example ways to have more of a connect with C-level executives, right, so that we can evangelize the power of the overall platform rather than just the vulnerability management approach that we have taken. So I think there will be, obviously, newer ideas that we will be looking at and looking to implement. But fundamentally, you know, what we have been working on, we do believe in that base and the power of that model.
Qualys
Thank you very much.
Operator
Thank you. Again, if you'd like to ask a question, please press star then 1. Our next question comes from Brian Essex of Goldman Sachs. Your line is open.
Qualys
Good afternoon, and thank you for taking the question, and would like to extend, you know, my thoughts for a speedy recovery for Philippe as well. Hope all is well with him. Maybe, Jumi, You know, I know that in the past you've talked about, you know, some hesitation about investing in sales and marketing and bringing on new reps in a period of economic volatility. Maybe could you talk a little bit about what you're seeing and maybe Sumedh chime in as well in terms of what you're seeing? I guess that's different now. That gives you a little bit more confidence that you can onboard reps and headcount in the sales and marketing field. organization where they could ramp efficiently and they might be productive and they'll hit expectations?
Sumit Thakkar
I think, and Jumi will obviously answer that part, but what I see right now is that a big part of this is more and more of our newer services are have matured and are coming to fruition and our customers are adopting them and seeing that interest and the speed of adoption in the cases where they have EMDR already. So that obviously drives our thought process on, you know, we feel that if you look at file integrity monitoring, container security, patch management, some of these things are really starting to show, you know, very good results tracking with our customers and the upsell to them. And so I think that is also part of when we look at, you know, bringing additional leadership headcount is, you know, where are we and how ready are our customers as well.
Qualys
Got it. And maybe for Jimmy, so helpful, thank you for that. Jimmy, if we think about, you know, the level of margin contraction we'll see this year as you invest in sales and marketing in R&D. How should we think about the level of balance to growth and margin expansion going forward? In other words, is there a framework that you're looking at with respect to being able to deliver margin expansion after a year of maybe call it recovery and we might see better growth in 2022?
Ben
Yeah, the way we think about it is it's not something that is new to us. We've done it before because if you take a look at the company history, like, for example, in our investor debt, we show the CAGR from 2017. Back in 2017, our current billing grew by 21%, right? And at that point in time, our EBITDA margin was 37%. If you take a look at the EBITDA margin now, we're at 47%. And so you could argue that, you know, we could definitely – do a better job in balancing growth with profitability, we should definitely invest more. And that margin expansion was really driven by the sales and marketing underspend relative to that point back in 2017. So in 2017, the sales and marketing as a percentage of revenue was 26%. That is now down to 17%. With that said, given our scalable business model and our infrastructure and how we've grown, we don't think that we have to go up as high, and that's why we think that our EBITDA margin will be above 40%. But we understand that, you know, similar to before, if we invest more in sales and marketing, that will return and translate into a billing growth and then eventually revenue.
Qualys
Got it. That's helpful. Thank you very much.
Operator
Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to Sumit Thakkar for any closing remarks.
Sumit Thakkar
Well, thank you everyone for attending our earnings call and for all the questions, and we hope that you are safe. We really feel very fortunate to be well-positioned with our cloud platform in an environment where there still are a lot of point solutions that are focusing only on one aspect of security, whether it's just EDR or just vulnerability management. Today, we really work hard to build a platform that is providing multiple different capabilities now, including SASDR. And with the VMDR, with multi-vector ADR, SASDR, forthcoming XDR solution, we continue to invest in expanding the capabilities of our platform and aggressively developing new solutions. Additionally, we are also focused on growing our revenues and maintaining our industry-leading profitability while creating long-term value for our shareholders. I hope all of you remain safe and healthy. Thank you very much.
Disclaimer