11/5/2024

speaker
Operator

Ladies and gentlemen, thank you for standing by. Welcome to Koala's third quarter 2024 investor call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question and answer session. To ask a question during the session, you would need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised. And to withdraw your question, please press star 11 again. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King, Investor Relations. Sir, please go ahead.

speaker
Blair King

Thank you, Michelle. Good afternoon and welcome to Qualys' third quarter 2024 earnings call. Joining me today to discuss our results are Samantha Carr, our president and CEO, and Jumi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today And we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release prepared remarks and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Smed.

speaker
Smed

All right. Thank you, Mr. King. And welcome to our third quarter earnings call. Q3 was another quarter of rapid innovation for Qualys, reflecting our ongoing commitment to technology leadership, cybersecurity transformation, and successful outcome for our customers. As I have focused on product management and marketing in the last few months, I have personally spoken to many seed souls who are struggling with way too many security tools from shift left to runtime, creating too many findings that are overwhelming the IT and dev teams. leading to multiple siloed top 10 dashboards and an inability to articulate the true risk to the business stakeholders. They are feeling the pressure to articulate the ROI of their security spend and rationalize the security spend in context of the risk to the organization, to their CFO, CEO, and board members. Risk can only be mitigated if it is remediated and performed in a timely manner. There is an immediate desire to stop playing the risk whack-a-mole and establish a properly operationalized risk management process by implementing a modern risk operation center. At our recent QSC event in San Diego, we ushered in the next era of cybersecurity innovation by announcing the GA of Enterprise True Risk Management Solution, which is the world's first cloud-based ROC. ETM transforms siloed data into cohesive real-time risk management solution by consolidating Qualys and non-Qualys data from several technology design partners, including with AWS, Microsoft Defender, Oracle, Okta, and Forescout. The result is a single comprehensive AI-powered platform that aggregates security findings, unifies third intelligence, and provides organizations with actionable enterprise-wide insights to prioritize and remediate cyber risk with unique business context and financial impact via cyber risk quantification. Unlike some exposure management platforms in the market that only expose the exposure based on data their sensors collect and provide no remediation capabilities, Qualys ETM comprehensively provides a single risk view that goes beyond vulnerabilities across code repositories, on-prem, cloud, container, remote endpoint, identity, OT, and IoT findings from multiple existing security tools. in the customer environment along with patching and remediation capabilities. With ETM, Qualys has set a new gold standard in the industry for proactive cybersecurity risk management. Cyber risk orchestration is coordinated, quantification is comprehensive, remediation is transformed, and the enterprise-wide ROC at scale is now a reality. We see many parallels between this new market opportunity and the early days of VMDR, including a significant greenfield opportunity and being early to market. I encourage all of you to watch the video describing our ETM Powered Rock in more detail at qualys.com. We also announced MROC, which will enable many managed service providers to deliver services on the Qualys ETM as a managed risk operation center. Lastly, we announced a cyber insurance company is going to provide Qualys ETM customers with additional discounts on their premium for lower true risk score shared directly from ETM, allowing customers to transfer the residual risk to their business. With a rock delivered by Qualys ETM, we are now empowering C-level executives and security teams with out of the box, instant and actionable insights into trending risk specific to their vertical and map to their own data to preemptively identify prevailing threats well in advance of a potential security incident. With this new app, which we call TrueLens, going GA soon, CISOs and their security teams can immediately be notified of potentially impacted IT and IoT assets within their environment. The materiality of these assets to their business, the associated impact to their overall risk score, and are equipped with the ability to make a remediation frictionless and immediate with a simple click of a button. Alongside several other existing announcements at QSC San Diego, we were pleased to commence GA of both our True Risk Eliminate and Qualys Total AI capabilities, marking another milestone in Qualys' 25-year history of cybersecurity innovation. We are pioneering these categories, and both are key differentiators on our platform. These new approaches to cybersecurity risk management, along with several others on our roadmap in the coming quarters, arm our customers with the tools necessary to navigate an increasingly complex threat environment and regulatory environment, streamline security operations, and reduce cost. Moving to our business update, with many of our customers already embracing Qualys to help re-architect and consolidate their stack, Qualys VMDR has translated into an enviable customer base, broad adoption, and notable industry recognition. As recently announced, Qualys' VMDR with TrueRisk was recognized by GigaOM as a comprehensive risk-based approach to vulnerability management and a leader in the category for the fourth consecutive year. We believe Qualys' placement as a leading vulnerability management solution further validates our investments in the platform and continues to represent the high watermark for securing customer environments today and in the future. Given Qualys' demonstrated track record for delivering greater value to customers, our VMDR solution with TrueRisk is not only fueling new logo lines, but also helping to increase platform adoption, especially in the areas of cybersecurity asset management with EASM, patch management, and cloud security. Let me share a couple of recent wins. which illustrate why companies turn to Qualys to help consolidate their security tools and fortify their security operations. In Q3, one of my favorite wins was a large federal government agency becoming a Qualys customer. This new customer was previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their security IT and DevOps teams. In addition to the complexity of using multiple point solutions, The government agency was also frustrated with increasing costs associated with on-prem deployments, the inefficiencies of operating siloed systems, and elongated remediation efforts. Looking to migrate to a natively integrated cloud-based FedRAMP high-impact level ready solution that meets the CISA binding operational directives, we displaced five of the existing vendors in a seven-figure bookings deployment using multiple Qualys modules right out of the gate. These initial deployments included cybersecurity asset management with EASM, VMDR, and with TrueRisk, patch management, policy compliance, and EDR. Through this highly strategic and competitive win, the customer is now able to leverage unified dashboards that provide them with greater insights and automation than any of the competitive solutions that they had evaluated, while taking full advantage of a natively integrated platform. This win alongside a separate seven-figure upsell with an existing large government agency customer and a significant state win are a testament to our ongoing investments to expand our federal, state, and local government business in the United States. Continuing our global expansion, I'm pleased to announce that IRAP in Australia has recently assessed QALYS at the protected level. This achievement opens the door for Australian government agencies and commercial organizations looking to comply with the ACSC essential aid strategy as well as their PSPF requirements to meet their country's most stringent security and compliance standards. Our successful assessment follows Qualys' approval as a cybersecurity service provider to the Victorian state government for vulnerability management services. Qualys has been selected through a highly competitive and extensive vetting process and is being bundled into managed service delivered by ENY. Turning to the momentum we are seeing with our TotalCloud CNAP solution in a mid-six figure booking upsell with a financial services company in the global 200, this existing VMDR and CSAM customer selected TotalCloud to scale their container deployments to over 70,000 hosts, monitoring millions of Kubernetes container images daily. Through its evaluation of competing cloud security providers, this customer determined that alternative point solutions added complexity to their operations, lacked integration, and missed detection, which hindered their ability to assess risk and consolidate their security tools. Today, through a highly scalable natively integrated CNAP solution, this customer is leveraging the Qualys Enterprise to its platform to combine runtime insights with proactive risk management while actively detecting anomalies, preventing zero-day attacks, closing compliance gaps, and remediating risk with ITSM integration through a single dashboard from code to cluster. These capabilities provide the visibility, automation, and cloud hygiene necessary to defend against today's adversaries and represent a significant long-term growth opportunity for Qualys. Our growing partnership leadership in the Cloud Market was also recently recognized by Gartner in its July 2024 Market Guide for Cloud Native Application Protection Platforms. With seamlessly integrated solutions delivered natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time, and costs less. As a result, customers spending $500,000 or more with us in Q3 grew 15% from a year ago to 200. Consolidation isn't just happening with customers, it's also embraced and prioritized by our partners where we continue to see an increase in new customer deal registration and cost sales. We believe the expansion of our partner program continues to reflect our strengthening brand awareness and strategic position in the market. We believe our natively integrated platform that comprehensively measures, communicates, and remediates cyber risk brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise Tourist Platform. With a unique opportunity in this environment to further strengthen our strategic position as the partner of choice for customers looking to re-architect and consolidate their security tools, To evolve, to solve modern security challenges, we believe we can continue to grow long-term, maintain best-in-class profitability, and invest in key initiatives aimed at further extending the gap between Qualys and the competition. With that, I will turn the call over to Jumi to further discuss our third quarter results and outlook for the fourth quarter and full year 2024.

speaker
Jumi

Thanks, Ned, and good afternoon. Before I start, I'd like to note that except for revenues, All financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to third quarter results, revenues grew 8% to 153.9 million, with channel continuing to increase its contribution, making up 47% of total revenues compared to 43% a year ago. As a result of a continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 17%, outpacing direct, which grew 1%. By GEO, 14% growth outside the U.S. was ahead of our domestic business, which grew 5%. U.S. and international revenue mix was 58% and 42%, respectively. In Q3, we saw some stabilization in the selling environment, but believe ongoing budget scrutiny will persist for the foreseeable future. Reflecting the sentiment, our growth retention rate remained largely unchanged at approximately 90%. But with stronger upsell performance, our net dollar expansion rate came in higher at 103%, up from 102% last quarter. We continue to see a positive growth trend in new business, achieving a double-digit growth rate for the fifth consecutive quarter. In terms of product contribution to booking, patch management and cybersecurity asset management combined made up 15% of LTM bookings and 24% of LTM new bookings in Q3. Cloud security solution, Total Cloud CNAP, made up 4% of LTM bookings. The foundational theme underpinning these results is the power of our enterprise true risk platform to help customers consolidate cybersecurity at scale. Turning to profitability, reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2024 was 69.7 million, representing a 45% margin compared to a 48% margin a year ago. Operating expenses in Q3 increased by 12% to 61.8 million, primarily driven by an 18% increase in sales and marketing investments aimed at capturing the market opportunities in front of us. As we continue to increase our investment intensity, and focus on sales and marketing enablement, customer success, and productivity, we believe we will be able to drive wallet share and long-term returns. APS for the third quarter of 2024 was 1.56, and our free cash flow was 57.6 million, representing a 37% margin, compared to 64% in the prior year. In Q3, we continued to invest the cash we generated from operations, back into quality, including 3.4 million in capital expenditures and 44.9 million to repurchase 344,000 of our outstanding shares. As of the end of the quarter, we had 185.7 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2024, we are now expecting our revenues to be in the range 602.9 to 605.9 million, which represents a growth rate of 9%. This compares to revenue guidance of 597.5 to 601.5 million last quarter. For the fourth quarter of 2024, we expect revenues to be in the range of 154.5 to 157.5 million, representing a growth rate of 7% to 9%. This guidance assumes later new businesses quarter based on current pipeline and continued deal scrutiny from existing customers with no meaningful change in our net dollar expansion rate in Q4. Shifting to profitability guidance. Factoring in the better than expected profitability today, we expect full year 2024 EBITDA margin in the mid 40s and free cash flow margin in the mid to high 30s. We expect full year EPS to be in the range of 5.81 to 5.91 up from the prior range of 5.46 to 5.62. For the fourth quarter of 2024, we expect APS to be in the range of 1.28 to 1.38. Our planned capital expenditures in 2024 are expected to be in the range of 12 to 16 million, and for the fourth quarter of 2024, in the range of 5.5 to 9.5 million. Adding additional context, we are currently making certain investments in some of our data centers to achieve greater operational efficiencies and reduce medium to long-term marginal costs. These investments pressure gross margin in Q3 by approximately 1%, and we anticipate a similar contraction in Q4. With respect to operating expenses, in Q4, we expect to continue to prioritize an increase in investment in sales and marketing, and that's driving more pipeline, supporting sales, enhancing our partner program, and expanding our federal vertical with more modest increases in engineering and GNA. With that, Sumedh and I would be happy to answer any of your questions.

speaker
Operator

Thank you. As a reminder, to ask a question, please press star 11 on your telephone and wait for your name to be announced. And to withdraw your question, please press star 11 again. And our first question comes from Jonathan Ho with William Blair. Your line is now open, sir.

speaker
Jonathan Ho

Hi, good afternoon and congratulations on the strong results. Sumedh, can you talk a little bit about some of the changes that you've implemented on the product marketing side and maybe help us understand maybe what that impact could be just moving forward? It seems like your CNAP products did quite well this quarter.

speaker
Smed

Yeah, thank you. Great question. So I think where we see the opportunity really is aligning overall messaging around the different modules to the messaging around business risk and risk quantification that we have been talking about, which is really helping customers sort of, you know, there's a lot of people talking about single pane of glass and platformization and different things and just bundling products for the sake of bundling. I think for us, as we launched The Rock, which is a big, sort of an announcement that we made around QSC, which is really bringing all the things that we're doing in cybersecurity together from a risk operationalization perspective. At the end of the day, how much money you spend on cybersecurity is really directly proportional to how much risk you perceive to the business, and a lot of CISOs struggle to even articulate that. So if you don't necessarily have a good view of how much risk you have to the business, how do you decide on how much you should spend on the different areas of cybersecurity? With product marketing and product management, we have really focused on the last couple of months on realigning our messaging to the risk message instead of just individual modules and products. Of course, the journey that we have started on, but really being able to have that quantification conversation with a single risk score across all the different capabilities in the platform and bringing in third-party tools so we are not getting into the conversation of replacing existing tools We're saying if you have these tools that you like, you can keep those, but we can bring the data into the Qualys platform and give you that very simplistic view of essentially what is the risk so you can articulate that risk to your management, to your board. And that is resonating extremely well. So when people are saying, I want to consolidate different tools or bring data together, it is really at the end for the purpose of understanding what does it mean to have so many different risk factors affecting a particular business entity. What does that mean in terms of how much risk do I have to the business? And so this change in marketing, product marketing, the announcement of the ROC, as well as the MROC, a lot of these things are very new in the way that we have announced them at our QSC event.

speaker
Jonathan Ho

Excellent. And then just for Jumi, can you talk a little bit about the strength you saw this quarter in terms of the net retention And should we expect things to maybe trend towards this positive direction, just given the release of the new products and the new sort of bundles that you've put together? Thank you.

speaker
Jumi

Yeah, we were really pleased with the outperformance and the upsell, especially after a few consecutive quarters of a tickdown in the dollar expansion rate. So we're pleased to report that it's increased back up to 103%. Now, with that said, what we're assuming for the guidance is no material improvements in Q4 based on the current deals in play, what we're seeing in the business today. We are optimistic in the longer term that we will see that continue to tick up, but for the purposes of guidance, we are assuming no material change right now.

speaker
Momentum

Thank you.

speaker
Operator

And the next question comes from Roger Boyd with UBS. Your line is open.

speaker
Roger Boyd

Oh, great. Thanks for taking the question. I want to touch on the channel. You continue to sound pretty confident in the opportunities that are unlocking there, particularly with the new platform offerings with MROC. It's clearly showing up in the revenue numbers, but whenever you could just expand on the momentum you're seeing there and maybe to what extent was channel a material contributor to the pretty strong 3Q Billions growth here. Thanks.

speaker
Smed

Yeah, I think at a high level, we are happy with sort of the journey we started a year, year and a half ago around really focusing more with our partners, channel partners to bring a business to us, you know, increasing deal rates. So we're seeing positive momentum there. And I think as we're seeing that momentum, what we are really looking forward to is Embracing the strategy, which is our partner for strategy, right? For both a new business and for upsells. We're looking to say, how do we work with our partners and pivot more and more towards helping them not just bring a resale deal to us, but with the launch of the MROC, how can we enable these partners to now provide some meaningful services to the customer? For a long time, MDRs and managed SOCs have been something that they have been focusing on. But a lot of our partners now are excited that after a few years, they actually have the ability to now provide some really fresh new services in cybersecurity that are relevant to their customers, especially around providing a risk advisory service, a risk quantification service, and a technical service around ability to ingest data from multiple different tools, a prioritization ongoing risk monitoring service around the raw, a board reporting service so that they can have reporting that actually is meaningful to the board. Then of course, a remediation packaging service where they can actually take packages. So for us, we see as we work with our partners and AT&T company Level Blue signed up as the first MROC partner, and expanding from just channel partner, just managed service providers to even cyber insurance companies that we're talking to is that partnership that can essentially help to say if you invest a certain amount in building out a risk operation center, that can give you benefit with lower risk scores and getting out of this like too many alert fatigue to actually focus on saying that this can actually give us and a meaningful discount on our cyber insurance premium because we have set up a rock with the true risk score. So we see that a lot of things that we're doing really is about how do we embrace this partner for strategy across the board and creating products and capabilities and service that actually our partners can offer services on top of what we do and not just picking and reselling the capabilities.

speaker
Operator

And our next question comes from Patrick Colville with Scotiabank. Your line is open.

speaker
Patrick Colville

Thank you so much, Sue and Jimmy. Congratulations on a very healthy print. I guess I want to focus specifically on the current billings performance, which is highly impressive. The question I'm getting is, were there any deals, remind me, that was pushed from 2Q into 3Q? Or were there any deals that were signed in three queues or maybe kind of pulled in for four queues? I mean, I guess were there any one-offs maybe is kind of phrased more succinctly this quarter with the current billings performance?

speaker
Jumi

There were, but not outside the normal course of the business. In any given quarter, we do have some deals that get pushed out and then pulled forward. And so it was a typical quarter from that perspective. With that said... When you take a look at current billings, it does get impacted by the billing schedule and the contract terms for the customers. And I would say that, you know, the 14% that we just posted, it is higher than the booking performance just based on the billing schedule. And so one of the things that we do take a guide to is if you take a look at it on an LTM basis or even year-to-date basis, that helps to kind of smooth out the lumpiness in current billing. And so I would say that's probably more indicative of the business momentum that we see today.

speaker
Patrick Colville

Very helpful. And so I guess you just touched on this now, but I guess I want to zoom in on exactly what you said. So is using kind of an LTM basis the best way to get a kind of normalized view of what things might be next year? You know, I appreciate you're not providing an early guide, but, you know, is that kind of, mid to high single-digit level the right level on a forward-looking basis, or should we expect more like a double-digit performance like this quarter?

speaker
Jumi

Yeah, it's a little too early to be commenting on this next year, but because of the focus on current balance, I would say that, look, like the best guide that we could give right now, the indication that we can give for Q4 is more or less in line with our revenue growth guidance. So we're guiding to seven to nine percent revenue growth rate for Q4, and I would say that currently we are expecting it to be more or less trend in that direction.

speaker
Patrick Colville

Terrific. Thank you so much, and well done for a great print.

speaker
Jumi

Thank you.

speaker
Operator

The next question comes from Kingsley Crane. Your line is open.

speaker
Kingsley Crane

Great, thanks. Really impressive results. I'm sure it's gratifying for the whole team. I just want to get a little bit more granular on what drove the strength from a product perspective. It seems like with TrueRisk and TotalAI that those are really going to be more meaningful over the next couple quarters and years. Thanks.

speaker
Smed

Yeah, great question. Look, I think overall we're happy to see we're in a good quarter. We're happy about that. We're glad to see the pickup in the NRR that we saw this quarter. We're happy with multiple quarters of new business growth that we have seen, though. As you mentioned, looking at sort of the Q4 pipeline, we expect some of the new business stuff to moderate a little bit. But having said that, our federal investments that we have been making, we saw some good momentum and good deals with upsells and new business from the federal side as well in Q3. And we're happy with how our total cloud solution has been evolving and also the kind of performance that we saw from a Q3 bookings perspective as you saw you know VMDR or vulnerability management is really shifting with people buying more patch management that's part of VM solutions rather than just scan only tools and so you saw you see that reflected in 15% of the LTM total bookings being patch management and CSAM and then 24% of new bookings, LTM bookings are cybersecurity asset management and patch management in addition to VMDR. And so these new product capabilities that we are providing with VMDR are driving the net new business coming to us because people are saying instead of just moving from a scanning only solution to another scanning only solution, They're buying patch management. They're buying cybersecurity asset management in the first purchase itself. We're also seeing some of them buy the cloud security solution in the first purchase itself. And so as we continue to put more training, more resources, more product marketing around the local cloud, and then the risk operation center, ETM driving it, we're also seeing some very, very positive early conversations with customers around total AI. because what is happening right now is a lot of IT teams are getting ready to deploy some form of AI into production next year. They're coming to the security team and saying, hey, can you guys certify this? And most security teams today don't have any idea what to test from an AI LLM security perspective. And so with Qualys Total AI providing almost like a point and shoot scanner for AI that tests jailbreaks and some of the common AI vulnerabilities and giving a thumbs up or a thumbs down is really the perfect recipe for what they're looking for at this point of time. So we're seeing that momentum building up as well. And so as we get into next year, we're looking forward to continuing that momentum with patch management, cybersecurity asset management, bringing on more customers who are looking at cloud security solution consolidation as we are seeing wins against the established cloud-only players that are the ones in the market. We're seeing wins against them. One of those we highlighted here as well. And then also we are seeing that the amount of interest in The ROC and the ETM is very, very high. Our strategic advisory board CISOs, we are seeing a lot of them eagerly waiting to test this, try this, and really hitting a key point of contention that they are seeing with their management and their board. And so we feel like as we get into the next couple of years with growth on cloud, federal, ETM, and AI are really building up some very, very nice opportunities potential growth opportunities for us over the next couple of years.

speaker
Kingsley Crane

Great. That's really helpful. And Sumedh, I just want to take a step back and circling back to the departure of NCache, the chief product officer in September, which had been planned. I mean, what have you learned operationally over the past couple months? Do you feel like you have the appropriate bandwidth? It seems like you do. It seems like things are going well.

speaker
Smed

Yeah, I do. I think it's always good to get back in and see. And, you know, like most places, you just get people to talk to each other. What a wonderful impact that can make. And so I think as I stepped in and brought the product management, product marketing teams together, and we were able to really just in a very quick period come up with this branding of Risk Operations Center, which is a wonderful way of describing instead of calling it security data lakes and all kinds of different names that people are struggling with, it's resonated really well, and this just came from the creativity of our product management and product marketing team sitting together and saying, what are we eventually offering our customers instead of coming up with some very fancy terms and names, like it's literally just a risk operation center that helps them operationalize their cyber risk. And so I'm able to really see that enthusiasm in the team coming together, and you're seeing some of that with the messaging and the clarity and the crispness of the messaging that is coming out of Qualys now as we've evolved ourselves from just being a vulnerability scanner into a really much bigger, broader platform for risk management and not just scanning and finding vulnerabilities.

speaker
Kingsley Crane

Great to hear. Thanks again.

speaker
Operator

And the next question comes from Joel Fishbein with Truist. Your line is open.

speaker
Joel Fishbein

Thank you for taking the question, Sumedh. Just to follow up on the product questions, Really interested in TrueRisk Eliminate. Seems like a very differentiated product. Love to hear what the early feedback is and when does it specifically go to market and when do you expect revenue to come from the management platform altogether? Thanks.

speaker
Smed

Thanks, Joel. You always ask the product question. I like that. So it's really TrueRisk Eliminate is very interesting. So I mean, if you recall into the history, A few years ago, when I introduced patch management, there was a lot of pushback at the time. The analysts were not quite ready for that, and the market and even our competition today hasn't really picked that up. But patch management has become a real differentiator for the vulnerability management solution that we have, which has really helped us evolve our vulnerability management solution. And our customer spend has really been now distributed between scanning and patching with us. And while there were initially some questions on would anybody buy patch management from a vulnerability scanning vendor, today, just this year in 2024, Qualys agents have deployed 78 million patches in our customer environment, right? So we are looking at some significant uptake in the patching cycles from our customers and the number of devices that they are patching, et cetera. However, patching is a little bit of a political battle in customer environment between IT team and security team. And so we run into that sometimes. It's also an operational challenge, right? The more patches you deploy, the more opportunities that something could go wrong. And so there is hesitation on patching, though it is required. So with TrueRisk Eliminate, we have come up with a very nice packaging that not only does patch management that we have done, but it also now provides ability to mitigate the issue without patching. So our agents can actually deploy very specific mitigation because we study how attackers go about attacking a device and we can make some small changes to the device that will prevent the attacker from being successful even without deploying a patch and this is really something that our customers are really really looking forward to because those who cannot buy patch management can now buy the mitigate capability because now they're saying look we're not buying patching but we're buying something that allows us to mitigate the risk and also it all provides a capability of isolation And so we're seeing some highly regulated environments where they're saying, look, if I cannot catch, I cannot mitigate, I'm going to actually take the machine off the network because it has way too much risk and I just cannot take that kind of risk. And so this packaging is something that just rolled out to production this quarter. As we start to get this messaging out, we talked to our strategic advisory board members. They were very optimistic about that because it helps them address the IT political challenge internally, but it also helps them address the zero-day challenge where there is no patch available and devices are being attacked. We can actually provide solutions for that. And so I'm looking forward early next year for that momentum because now we just go back to our existing customers who have patch and say, hey, here's an upgrade that you can buy. that allows you to also bring Mitigate, and those who are resistant to patch management can now actually purchase the Mitigate capability as part of the Eliminate, where they say, well, I'm not patching, but I can actually buy this additional capability. So lots of interesting opportunities, and as we start to roll this out more broadly and getting early adopter customers using it, we're optimistic for this to be something that will see more momentum next year.

speaker
Joel Fishbein

Great. Thank you so much.

speaker
Operator

And the next question comes from Rudy Kessinger with DA Davidson. Your line is now open.

speaker
Rudy Kessinger

Hey, guys. Great. Thanks for taking my questions, and congrats on a strong quarter, particularly on revenue and billings. Similar to Patrick's question, I guess I'm curious on the revenue outperformance in the quarter. One of your largest, I think, as a public company, if not your largest relative to your guys, it sounds like upsell – being better than expected was the primary driver. But I'm curious if that was it or anything else to it in particular on the upsell. Just, you know, was it a handful of large upsell deals or was it broad-based better upsell than expectations?

speaker
Jumi

Yeah, from an upsell perspective, it was more or less broad-based and we were really pleased with that performance just because if you take a look at the recent quarters, because we've been underperforming not only in Q2, but it's been continuing to tick down from a net dollar expansion rate. We were conservative in how we were viewing the potential results of Q3. And so with our net dollar expansion rate finally going back up to 103%, it was really primarily driven by the upsell performance, our focused execution, getting the deals in the quarter that we had to work with. And then in addition to that, you definitely helped as well because you're seeing a continued momentum in the new business bookings where we're able to take some market share, get the new logos in. It's another double-digit growth. And so looking to Q4, we don't expect that to continue. We do expect a lighter new business quarter. And then on the upsell, we don't anticipate a similar rate of success on the upsell based on the deals that we see today.

speaker
Rudy Kessinger

Okay, that's helpful. And then I believe in an answer to a question earlier, you said Q4 current calculated billings in the 7 to 9 range that you're guiding to on revenue. Just to be clear, was that for... CCB for Q4 or for trailing 12-month CCB in Q4, 7% to 9%? Yeah, Q4 CCB.

speaker
Jumi

Okay. Got it.

speaker
Rudy Kessinger

Thank you.

speaker
Operator

And our next question comes from Matt Hedberg with RBC. Your line is open.

speaker
Matt Hedberg

Great. Thanks for taking my questions. So, Matt, you know, a lot of positivity from this quarter. The channel contributions really stood out to me in new product momentum. I guess I'm curious, you know, based on what you've seen now and maybe, you know, through the first month of before, can you comment on the durability of these trends? You know, they seem to have an idiosyncratic nature versus maybe more macro-driven, but I was kind of curious on if you could provide a bit more color on maybe the durability of some of these trends that you're seeing.

speaker
Smed

You know, I think if you look at the conversations that we are having, our user conference that we had in Mumbai as well as in San Diego, the strategic advisory board, you know, we just did this one exercise where we gave mock money to these CISOs to put on different products and the momentum, like the interest that we saw with AI, et cetera. I think there's a real desire and a real focus on we need to move in this direction. We can continue to just buy more tools and get more alerts and just randomly ask IT and dev teams to start to fix everything. So aligning with this sort of business outcome and figuring out how do you get that one view of the different risk factors while keeping your tools and not having to go into the conversation, having to replace. I think the momentum around looking to replace or get more total cloud and AI opportunities seems to us is very real. I think, but it is, the reality of the macro is still there where there is extra scrutiny on the deals where deal cycles are longer. So I think we're encouraged with the conversations, the momentum, the level of interest. I think all of that has been quite positive. Now, how did that translate quarter over quarter in the short term? I think it's something that is combination of our execution, which you are happy with how we did in Q3, and then focusing on some of the pipeline build that we need to have, etc. I think what I look at is given these different capabilities are quite differentiated. I mean, if you look at Rock ETM, if you look at Eliminate, if you look at the patching piece, if you look at AI security that we have, these are quite differentiated from what the The nearest competition has. So I think in the longer term, I see that as the focus on cybersecurity is starting to, is going to be stable and people continue to come back to say, what are the areas of focus I have? I look forward essentially for these things to make a bigger impact in the, you know, in the next two, three years, rather than sort of trying to time just the next couple of quarters. So I think the interest in all of that is real. I think how the deals close, I think some of that is going to be lumpy as we have seen the last three quarters.

speaker
Matt Hedberg

Well, that's super helpful. And maybe this kind of personally answers my next question, but for Jimmy, just maybe a point of clarification i know you said even just to the answer to the last question that your guidance assumes lighter new business trends for 4q i just wanted to put a finer point on that is that is that something is that is that a trend that you're seeing or is it just like you know sort of layers of conservatism uh you know as you go into what typically is a pretty strong uh you know end of your uh quarter for you guys it's definitely not a trend that we're seeing today i think that um

speaker
Jumi

We've seen the trend where the new business bookings have been performing very well year to date for us. What I'm commenting on is based on the deals that we're looking at in the outlook, kind of the pipeline per se. We are seeing a lighter pipe than we would like to see for Q4. So because of that, I'm pointing to the fact that we've had this consecutive quarter of double-digit new bookings growth, which was great. I don't necessarily see that continuing Q4, not to say that it won't continue out to 2025. I'm just giving a little bit of color for Q4.

speaker
Smed

Yeah, just to add to that, as you know, right, I mean, the pipeline in Q4 is informed by efforts that were made a couple quarters ago. And so the changes in marketing that we have made are, you know, are important for us to understand kind of where we came from. And we look forward to with the changes that we have made to bringing that pipeline back home. I think the Momentum over the last few quarters has been quite encouraging and has been a trend essentially, right? I think Q4 is calling out sort of what we see just for Q4 at this point. Got it.

speaker
Momentum

Thank you both for the answers.

speaker
Operator

And our next question comes from Trevor Walsh with Citizens. Your line is open.

speaker
Trevor Walsh

Great. Hi, team. Thanks for taking the questions. Samantha, I know you had a lot of questions already around risk, so I wanted to just maybe back out from a super high-level view. You had a good slide in the deck around just all the different tools out there that are quantifying risk in some way and totally understand or get kind of where you guys are coming from and being kind of the consolidator of all those different views. Can you just maybe tell us from the customer view of the conversations you've had What's maybe the one or two things that you think customers are going to lean on or like look to Qualys to kind of be that consolidator around risk as you roll out enterprise curious management?

speaker
Smed

Yeah, excellent question. I think there are some smaller companies that are doing some form of quantification, but if they're focusing on the quantification from a dollar value perspective, they're not necessarily doing the finding consolidation of pulling data from multiple tools. And then if there are some tools that are doing some of that, Primarily, they're putting a lot of their data from Qualys, and they're not doing a really good job of quantification, and neither tool is doing a good job of any remediation at all. So at the end of the day, you spend billions of dollars building all these nice dashboards, and staring at them doesn't mean anything if you don't actually get remediation done. And so the level of interest from a lot of our customers is very high with the ETM and the ROC story, because first of all, those who are Qualys customers already have that information about asset inventory, which is a foundational element of any ROC. is already in Qualys. The findings, a large part of the findings are already in Qualys and now they can just take their time to start to plug in additional sources with the partnerships that we announced with some of these key vendors that they are using. And so that, being able to have that inventory, being able to consolidate on a scalable platform. So we have a proven scalable platform where we can bring millions and millions of findings and actually provide that visibility with the scoring, which is another capability that a lot of customers use, but then ultimately being able to create reporting that is relevant to the board and the remediation part are really the differentiator. You could have some folks who are consolidating some stuff and giving some risk numbers, but ultimately they don't really help you actually get things fixed and provide you a report that you can take to the board for the most part. the fact that we are able to actually bring these different pieces and tools that are out there instead of having multiple silos, bringing all of that in one workflow. And, you know, it's a lot easier from what the feedback that our CISOs gave us is they say, when I'm going for a conversation about cybersecurity in a budget, it is a lot easier for me to talk to the board to say that we are putting in place a risk operation center, which is going to operationalize our risk across multiple tools. rather than go and ask for money for the next big trend that has come out and whether it's zero trust or this or that. I can't explain that if I'm going to go and do something around zero trust as an example, what is the outcome that the company or the business is going to get. But with this, I can... report something that says my $500 million business unit have a possibility for $10 million loss per day. And my score that is collected from multiple different vendors in a single score is giving an indication that there is a high possibility that you're going to lose that $10 million a day. And when I take that to my CFO to say, look, our score is high, the possibility of losing $10 million a day is much higher. then it's a much better conversation to have to say, like, can we spend $650,000 to put these four controls in place, which will then bring the risk down to 30%, which is an acceptable level, and you can prove that that risk actually came down. And that conversation is a lot easier for them rather than going and asking for more money to deploy the next big thing in security without actually being able to explain what they're going to get in return for that other than just saying, oh, we're going to make things safer. And so that's where the initial enthusiasm is very high that the time to value is very fast because a lot of the data is already in Qualys. I think for the business side, I'm excited because our sellers and our partners, when they go to prospects who maybe has other competing solutions, they don't have to walk away or get into a protracted battle for replacement. They can say, okay, give me the data of your four different security tools. I can show you value in the next one hour. of how all of that can come together and give you a true risk score. We're also looking at existing customers adopting more modules because these modules are already integrated into the true risk scoring, rather than having to go with other solutions, which then they again have to pull feeds and feed into something. So there's a lot of positive things that we see with the ATM Rock from not only for the customers, but for our business as well. And so our focus for the next few quarters really going to be on executing across different fronts. But as you can see, we have really taken a holistic approach on not only the product marketing of it, but also forming the M Rock as well as the cyber insurance, cyber insurance as the other end of the risk transfer market as well. So That's really what customers like. It's not just a one score here. It's really a comprehensive look at how they can provide this visibility to their board and management.

speaker
Trevor Walsh

Great. Thanks so much for the perspective. One quick follow-up for you, Jimmy, if I can. Appreciate the color around some of the sales and marketing investments made in the quarter and kind of the effect on operating expenses there. I think that's been a theme for a few quarters now around just the overall investments, whether it's channel or otherwise. Can you just maybe give us a sense of how you're thinking about tracking the ROI from these investments, maybe like a few levels deeper than the metrics that we're seeing, whether it's revenue or billings and just how you kind of are seeing whether or not these different choices that you're making are kind of paying off? Thanks.

speaker
Jumi

Yeah, the way that we measure ROI, I mean, one of the kind of the standard metrics is obviously from a direct sales force perspective, the sales productivity, how much bookings we're able to generate for each brand sales headcount. And the way that we've been tracking on that metric is we haven't seen that significant of an increase overall just because you have placentas. We have pre-sales business. The sales director working on the new business bookings has been doing really well this year, as indicated by the fact that we've been growing new bookings in double digits. Now, on the post-sales side, if you take a look at the renewal and upsell, we haven't done as well in that area for this year. And so what we're trying to do is really taking a look at the sales org overall to make sure that the structure is set up properly for us to really accelerate growth next year. And as we go through the 2021 planning, we will be taking a look at that in addition to all the initiatives that we've kind of tried out this year when it comes to the channel partners. We've been trying to invest in channel, whether it's from like setting up MSSP portal, making sure that they're incentivized from the deal rights perspective or sharing rebates with partners. We're taking a look at the different campaigns to see which ones worked and then which ones we should continue into 2025 and how that will impact our profitability.

speaker
Trevor Walsh

Great. Thank you both. Appreciate the answers.

speaker
Operator

And our next question comes from Srinik Kothari with Bayard. Your line is open.

speaker
Srinik Kothari

Thanks for taking my question. Congrats on the really great quarter, Sumedh. I asked about the federal last quarter and the first public sector summit at the time and sounded quite enthusiastic about it. You highlighted some great wins in Q3. Just if we can help quantify or any color in terms of the potential uplift relative to your expectations or seasonality. And you mentioned that the pipeline is still looking pretty robust from a federal standpoint in terms of the momentum beyond just the 3Q budget. You can talk about specific products and go-to-market strategies there specifically in relation to deepening federal relationships and federal agencies and how to expand into new departments there. And then I have a quick follow-up.

speaker
Smed

Federal is an area of focus for us the last year or so. In a big way, of course, we have always focused on getting our FedRAMP medium certification for a few years, and that's definitely helped to get our name out there. But focused team building, where we hired Bill Hawkins really to build up our federal sales practice, work with our partners. The first conference that we did from a marketing perspective to get Qualys and the name out there, and the work that our team is doing with these agencies, and we highlighted one net new seven-figure deal and Upsell for seven figures in this quarter are really good indicators of what the interest level is in consolidating multiple different tools. That's the good news in the federal space. Focused on complexity and cost is driving people to drop four or five different solutions in favor of one single Qualys platform. Typically, these are bigger names that we are replacing as well. So we see the momentum. I think, as you know, federal business is Q3 budgets and it's a little bit lumpy that way. But overall, we are seeing positive momentum as we get into the next few years. I think it takes time to build out that federal practice where it's a significant amount. And so we are looking forward to continuing that investment into next year on the federal side and then seeing the outcome of that. But we're pleased with what we're seeing right now.

speaker
Srinik Kothari

Very helpful. Just a quick follow-up for Jumi. You touched on and mentioned the billing schedule, if I heard it right. If we can kind of delve a bit more into at all kind of change in terms of scheduling compared to what you perhaps said last quarter in terms of billing growth expected to kind of mirror revenue growth for like mid-single digits in the second half. Just trying to understand if there are any factors which might be missing contributing to the upside in relative to the revenues here.

speaker
Jumi

Yeah, the current billings, it tends to fluctuate and there's definitely lumpiness in current billings when you're looking, trying to use it as a proxy for booking performance or business trajectory. And so that's what I was commenting on. There was nothing really that was significant to highlight. There were some deals that were pushed out and then pulled forward. So nothing abnormal or significant, but You know, last quarter, as an example, current billings happened to be lower than the bookings performance. And then this quarter, it's a reverse. Current billings growth happened to be higher than the bookings growth performance. So you see that fluctuations and that lumpiness. So I would say that if you're really trying to use that as a proxy for bookings, using it on an LTM basis is probably more accurate.

speaker
Srinik Kothari

Got it. Thanks, Jillian. Appreciate it.

speaker
Operator

And our next question comes from Young Kim with Loop Capital. Your line is open.

speaker
Young Kim

Thank you. First, congrats on our solid execution. Sumedh, good to see continued solid bookings around new products. If you can give us some insights into the go-to market around these new products. For instance, is the sales process for these new products, is that primarily driven by renewal process? And also, what kind of traction are you seeing with new customers for these new products?

speaker
Smed

Yeah, I mean, as Juby talked about it, right, if you look at patch management, cybersecurity asset management, 24% of new bookings is basically coming from these products. And so this is really thanks to the execution in sales enablement, sales training that Dino and team have been really focusing on is the ability for our sellers to go in and not have the conversation of, oh, our scanner is a little bit better than the other scanner, really to talk about the comprehensive ROI of saying you cannot scan without an inventory and there is no point of scanning if you don't patch things. And so Qualys is the only platform that is really providing the ability to have all of these three together. And so in this market that is what is helping customers make the decision to say, even if they may be satisfied with the current scanner that they have from a scanning perspective and they look at it holistically at their vulnerability management workflow. And we had a session at our QSC where we said Qualys is putting the M back in VM, is the management of vulnerability management process is important. As our sellers are now going in and positioning the comprehensive packaging and a new business is giving us advantage because then when we provide that and the customer goes back to a competing solution, they cannot offer patch management. They're not offering patch management. In fact, I talked to a CISO of a new logo that just came on board and he said he did talk to a competition and said one of them is doing management they said well then in that case you should go to Qualys and so we're seeing that these new product capabilities are differentiating as we are evolving out of just a vulnerability management scanning tool which is something that people are not focusing as much on to just say okay we want to scan stuff so new products are getting momentum as I said total cloud we had a good quarter with total cloud and we're happy with that right now so we are seeing even net new business people coming to us look at to say, well, I could buy a cloud scanning only solution, but then it doesn't scan my desktops and my laptops. So might as well go with something like Qualys, which again is providing a comprehensive solution where we're not cloud only, though we are very good at the cloud security. We also provide the ability to assess all of your other devices as well in the same context. Enablement has been a key focus for us this quarter, and they've been really putting a lot of focus on getting our sellers to articulate the newer messaging rather than just sort of going and saying our scanner is better than your scanner.

speaker
Young Kim

Okay, great. I just want to make sure, though, is the selling around these new products driven by the renewal process, or is it independent of that?

speaker
Smed

Sorry, the what process?

speaker
Young Kim

The renewal.

speaker
Smed

Oh, renewal?

speaker
Young Kim

Yeah. Are you selling these new products in conjunction with renewals or is it really independent of the renewal process?

speaker
Smed

Oh, yeah, yeah. No, no, both. So, yeah, I get the question. So, the 24% that we talked about for ADM was on new bookings that come to Qualys, which is net new logos coming to Qualys, right? And then the 15% is overall that includes existing customers who are either buying additional cybersecurity asset management and patch management, or in some cases might be adjusting some of their VM spend to spend more on patching and buying more patch management. So it's both. We're seeing that in both places. So we are attracting net new logos because we have cybersecurity asset management and patch management, and we are also creating opportunities to upsell to existing customers these new capabilities because we don't see that with the competition.

speaker
Operator

We would like to thank everyone for your participation. This will conclude today's conference call, and you may now disconnect.

Disclaimer

This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.

-

-