Qualys, Inc.

And thank you for standing by. Welcome to QALY's fourth quarter 2024 investor conference call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question and answer session. To ask a question during the session, you will need to press star 1-1 on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star 1-1 again. Please be advised that today's conference is being recorded. I would now like to hand the conference over to your speaker today, Blair King. Please go ahead.

Thanks, Gigi. Good afternoon and welcome to Qualys' fourth quarter 2024 earnings call. Joining me today to discuss our results are Sumit Thakkar, our president and CEO, and Jumi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements. that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. Reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release prepared remarks and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Smed.

Thank you, Blair, and welcome to our fourth quarter earnings call. Looking back to last year, I can truly say that 2024 was a year of incredible product innovation and rebranding of Qualys as we celebrate our 25th year anniversary. As one of the first SaaS security companies in the world, we have continuously strived to exceed market expectations and serve as the leader when it comes to disruptive technology in cybersecurity. Today, the message is clear. Today's CISOs want to anchor cybersecurity conversations around business risk reduction as the impact of their cybersecurity spend. The market wants a platform that enables them to speak unified language of risk to their boards and business partners while letting their teams pick the underlying platform and best of breed solutions for specific areas in cybersecurity rather than an aspirational goal of consolidating 50 different cybersecurity vendors into one. Recognizing the difficulty and complexity of implementing and utilizing multiple security solutions from numerous security vendors, we have evolved our platform, previously focused on vulnerability scanning and telemetry collection, to become a full-feature risk analytics and quantification platform, bringing data analytics and insights with embedded AI models to customers while giving them the flexibility to continue to leverage their existing security tools. The net result for customers is a vendor-neutral orchestration layer that provides full visibility and risk scoring for an organization's entire attack surface, aggregates and correlates all security findings, leveraging over 25 threat feeds, and powers a single AI-driven workflow that centralizes, quantifies, articulates, prioritizes, and remediates cyber risk while delivering the efficiencies of consolidation. The rebranding and continuous enhancement of our platform is a result of our unwavering focus on prioritizing our customers' need and addressing their challenges with innovative new solutions. In 2024, this collaboration led to significant platform enhancement that bolstered our strategic relevance and further expanded our market opportunity. We introduced TrueRisk Eliminate to extend our remediation capabilities beyond patch management. We enhanced our cybersecurity asset management capabilities with patent-pending technologies to turn previously unknown internal and external facing assets into security managed assets in real time. We brought the MITRE ATT&CK prioritization matrix into the Qualys TrueRisk platform to uniquely predict, identify, and respond to critical risk with an attacker-centric view. With Total AI, we delivered groundbreaking new capabilities to find and secure generative AI applications and large learning models. We organically unified Cloud Infrastructure Entitlement Management , Container Runtime Protection, Kubernetes Posture Management, SaaS Security Posture Management, and our AI Power Truist Insight capabilities into our Total Cloud CNAP platform with multi-cloud ITSM integration, strengthening our market position and further flexing the power of our platform. We went GA with our enterprise to risk management solution, setting a new gold standard in the industry for proactive cyber risk management and planting the flag for organizations to operationalize a modern risk operations center, ROC, at scale. In less than a quarter since going GA with ETM, we have seen strong interest with currently over 50 active prospects for POC. Our ETM solution goes beyond current continuous threat exposure management CTM platforms with our ability to speak business language, effect remediation actions, and partner with cyber insurance underwriter. We believe these innovations will allow our customers to standardize on a trusted platform like Qualys, layering on top of their other existing cybersecurity solutions. With a long track record of solving the most challenging cybersecurity challenges, challenging use cases for our customers, Qualys pioneered the cybersecurity patching category, seamlessly integrating it into our platform and bridging the gap between IT and security teams. Last year, we successfully deployed over 100 million patches with Qualys agents, and in turn eliminated over 100 million potential incidents in our customer environment. Despite this achievement, our journey has shown that patching alone is simply not enough. That is why we introduced TrueRisk Eliminate, which revolutionizes patching by empowering organizations to isolate critical assets or implement compensating controls protecting against zero-day vulnerabilities and misconfigurations when patches aren't available or feasible to deploy. This is a major competitive advantage And our innovation doesn't stop there. We recently introduced TrueRisk Uninstall as a fourth component to our TrueRisk Eliminate package. TrueRisk Uninstall allows organizations to hunt for, detect, and uninstall end-of-life software, misuse or unused application, and other forms of tech debt while removing one of the most highly exploited attack paths available to adversaries with a simple click of a button. In cloud, our innovation engine continues to execute at a high level. We believe we are increasingly well-positioned to expand our share of the evolving cloud market as CISOs look to evolve this space approach into multi-cloud environments as well. Advancing our competitive differentiation, we have recently brought many new capabilities into our agent and agentless total cloud CNAP solution, including comprehensive attack path analysis, enhanced risk quantification, leveraging our true risk insight capability, and automated no-code, low-code cloud workflow remediation. This latest release, which we call TotalCloud 3.0, unleashes an organization's ability to easily visualize the entire blast radius of an asset's attack path and systematically identify, prioritize, and resolve critical threats for free runtime and runtime protection. As a result, TotalCloud 3.0 is streamlining operations with an unparalleled outside-in and inside-out perspective of an organization's cybersecurity posture for secure cloud consumption. In our view, Total Cloud 3.0 is one of the most comprehensive CNAP solutions available in the market today, and its growing momentum is a strong testament to the assurance customers place in Qualys every day. Finally, with the introduction of Qualys' Total AppSec, we are now providing customers with the ability to expand their AppSec assessments into expanding a DAX surface with the use of APIs for B2B and mobile apps. Qualys Total AppSec includes comprehensive inventory and threat assessment of their web applications and APIs with unified malware detection and automated response. Moving on to business update, over the past several months, I personally met with many customers, prospects, and partners. These conversations all center around the same topic. Customers require a holistic view of the cyber risk, one that is quantified and prioritized. articulated in terms of risk to their business, and remediated to an acceptable level in a single integrated workflow on top of their existing solutions. Given Qualys' blueprint for delivering these requirements with greater value to customers, our technologies are not only fueling new local land, but also helping to increase broader platform adoption, especially in the areas of VMDR, cybersecurity, asset management, patch management, cloud security, and now the risk operation center delivered by Qualys ETM. With thousands of customers consolidating on Qualys enterprise risk platform, let me again share a couple of recent wins which illustrate why these companies are turning to Qualys to help unify their security tools, quantify cyber risk in their environment, and fortify their security operations. First, an existing global 100 multinational insurance company security team with multiple tools in their environment face increasing personnel costs and struggle with limited visibility into their overall risk profile. Through a highly competitive RFP process, this customer chose Qualys and launched and initiated the Collapser security stack in just data from other cybersecurity tools to the Qualys platform and rich asset context with business information brought by their CMDB integration and centralized remediation. This includes the purchase of eight QALYS modules and deploying ETM to begin orchestrating the ROC resulting in a seven-figure annual booking fee. We are now quickly migrating numerous data sources to the QALYS platform and delivering the outcome of consolidation and quantifiable risk and automated response aligned with business priorities. The momentum we see with TotalCloud's CNAP solution in a mid-six-figure booking upsell with a global fitting enumerate, this existing VMDR cyber security asset management web application scanning and customer assessment remediation customer launched and initiated to further unify its security stack and replace its incumbent cloud-only security vendor. Through its evaluation, this customer determined that alternative point solutions added complexity to their operations, lacked integration and risk detection, which hindered their ability to assess risk and consolidate their security tools. Today, through a highly scalable natively integrated CNAP solution, this customer is leveraging the Qualys Enterprise Choice platform to combine insights from build-through runtime with proactive risk management while actively detecting anomalies, preventing zero-day attacks, closing security gaps, and remediating risk with IDFM integrations through a single dashboard across its on-prem hybrid and multi-cloud assets. These capabilities provide the visibility and automation necessary to defend against today's adversaries and represent a significant long-term opportunity for Qualys. With seamlessly integrated solutions delivered natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time, and costs less. As a result, customers spending $500,000 or more with us in Q4 grew 13% from a year ago to 207. Consolidating workflows isn't just happening with customers. It's also embraced and prioritized by our partners, underscored by an interestingly strong mix of new business and significant growth. As we continue to endorse a partner-first sales motion, partner-led deal registration, and win rates increase in Q4. In addition, with the launch of ETM, many of our security service providers are now deeply engaged for the first time in delivering new managed risk operations, MROC services, encompassing risk quantification, security tool integration, risk monitoring, and matching. Similar to how MSSPs monetize the SOC for post-breach response, the MROC is now the new frontier for MSSPs to capitalize on the centralized and automated services approach to pre-breach risk management. Partners are actively spearheading these new initiatives with Qualys as the MROC platform of choice. Turning to our executive team update, I would like to congratulate Dino DiMarino, our Chief Revenue Officer, who has decided to accept a CEO role at another company. I wish Dino well and thank him for his contributions during his tenure at Qualys. As we continue to focus on executing our product-led growth vision and partner-first strategy. I plan to oversee the sales organization while continuing to grow and scale the sales group. We're fortunate to have a talented next-level team of regional sales leaders who are energized by our competitive position in the market and ready to drive our business forward. With our FedRAMP High Ready platform anticipating FedRAMP High certification in 2025, and our continued invest in federal GTM. We've been excited about the massive opportunity as the federal government looks to change the way things have been done in the past with conkey and costly on-prem solutions and move to cloud-based, modern, effective, and cost-efficient solutions for cybersecurity risk management. In summary, I couldn't be more confident in our market position and opportunities for growth over time. Our leadership as a trusted security platform is a clear reflection of Qualys' dedication to continuous innovation, delivering value to customers, and transforming cybersecurity risk management. Looking ahead to 2025, we'll continue our disruptive innovation, further advance our go-to-market investments, and execute our strategic vision with a balanced approach to long-term growth and profitability. With that, I'll turn the call over to Jimmy to further discuss our fourth quarter results and outlook for the first quarter and full year 2025.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenues, all financial figures are non-GAAP, and growth rates are based on comparison to the prior year period, unless stated otherwise. We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $607.6 million and achieved adjusted EBITDA margin of 47%, even with continued 14% growth in investments in sales and marketing. Net income in EPS grew 16% to $229 million and $6.13 per diluted share, respectively. And free cash flow reached $231.8 million, or 38% of revenues. all of which exceeded our expectations for the year. Turning to fourth quarter results, revenues grew 10% to $159.2 million. The channel continued to increase its contribution, making up 48% of total revenues compared to 44% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 18%, Outpacing direct, which grew 3%. By GEO, 15% growth outside the U.S. was ahead of our domestic business, which grew 7%. U.S. and international revenue mix was 58% and 42% respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2025 to remain stable with ongoing budget scrutiny persisting for the foreseeable future. Reflecting this sentiment, in Q4, our growth retention rate remained approximately at 90%, and our net dollar expansion rate came in at 103%, unchanged from prior quarter. In terms of product contribution to bookings, task management and cybersecurity asset management combined made up 15% of total bookings and 24% of new bookings in 2024. Our cloud security solutions, Total Cloud CNAP, made up 4% of 2024 bookings. We attribute this success to our customers' need for broader contextualized awareness of their attack surface with natively integrated risk management and remediation workflows across all environments on a single platform. Turning to profitability, adjusted EBITDA for the fourth quarter of 2024 was $74.2 million, representing a 47% margin. compared to a 46% margin a year ago and 45% last quarter. This stronger than expected performance resulted from our targeted optimization efforts, which was part of our 2025 planning process. Consequently, operating expenses in Q4 remained relatively flat to last quarter, while sales and marketing investments grew moderately by 5% from last quarter. EPS for the fourth quarter of 2024 was 1.60, and our free cash flow was 41.9 million, representing a 26% margin compared to 22% in the prior year. In Q4, we continued to invest the cash we generated from operations back into QALYS, including 5.8 million on capital expenditures and 42.3 million to repurchase 312,000 of our outstanding shares. As of the end of the quarter, we had $143.4 million remaining in our share repurchase program. We're pleased to announce that our board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $343.4 million. With that, let us turn to guidance, starting with revenues. For the full year 2025, we expect revenues to be in the range of $645 to $657 million. which represents a growth rate of 6 to 8%. For the first quarter of 2025, we expect revenues to be in the range of 155.5 to 158.5 million, representing a growth rate of 7 to 9%. This guidance assumes no material change in our net dollar expansion rate, with moderate growth contribution for new business in 2025. We also realize that there may be some near-term adjustments to the plan, given the upcoming CRO departure We'll be sharing updates as we make progress throughout the year. Shifting to profitability guidance, for the full year 2025, we expect EBITDA margin to be in the low 40s, implying 18 to 20% increase in operating expenses, and free cash flow margin in the low to mid 30s. We expect full year EPS to be in the range of 5.50 to 5.90. For the first quarter of 2025, we expect APS to be in the range of 1.40 to 1.50. Our planned capital expenditures in 2025 are expected to be in the range of 8 to 13 million, and for the first quarter of 2025, in the range of 2 to 4 million. In 2025, we anticipate gross margin to contract by approximately 1% given certain investments we are currently making in some of our data centers to achieve greater operational efficiency and reduce medium to long-term marginal costs. With respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing and engineering with a more modest increase in G&A. With that, I would be happy to answer any of your questions.

Thank you. As a reminder, to ask a question, please press star 1-1 on your telephone and wait for your name to be announced. To withdraw your question, please press star 1-1 again. Please stand by while we compile the Q&A roster. Our first question comes from the line of Kingsley Crane from Canaccord Genuity.

Hi, thanks for taking the questions and congrats on a great quarter. So again, you have so many great products in the portfolio. We've seen some others in the space opt for more of a consolidated consumption plan that simplifies pricing and can get more products in the hands of customers. So any thoughts on creative packaging opportunities over this next year?

Yeah, that's a great question. I think for us, as I mentioned in my script, really customers are looking at ways that they can anchor how they're looking at their cybersecurity spend by looking at the business risk and how they are able to articulate that spend by reducing business risk. And that is a combination of bringing Qualys modules wherever available, bringing data from third-party solutions that are available. And so as we are early in this journey right now with ETM and the amazing feedback that we are getting right now from the early adopter customers for ETM and the POCs that we're going. I think as an evolution of that, we continue to look through the year at getting feedback from these early customers and how we can help them adopt the broader platform, both in terms of the integration, but also pricing. And it is something that we will be continuing to review throughout the year to see where we have opportunities for packaging, that sort of a model anchored around the adoption of ETM rather than individual modules.

That's great to hear, Insomed. With Dino's departure, it sounds like you're going to oversee sales efforts a bit more hands-on. You recently had taken on a bit more with product and marketing as well. So just wondering, any updated plans or thoughts on your bandwidth and if you're looking to hire any key leaders across the business and just how you plan to balance your time the upcoming year? Thanks.

Yeah, thank you. I've done this a couple of times in the past, and I'm happy to jump in periodically to help as needed. Again, we thank Dino for being part of the team, but we have been working on this for a while with the broader team, not just the CRO, and our 2025 planning is in a good place. So now it is really about focusing on execution, and as you see, a key part of our execution celebrating the success that we're seeing with our engagement with the partners and how can we pivot more towards a partner-oriented GTM strategy, which means that the focus is a little bit less on direct and growing direct and more on how do we partner with our partners, both from lead gen, pipeline gen, as well as execution on closing deals, etc. So I think we continue to focus on executing that, working closer with partners and aligning our sales leadership with that. The good news is that Our sales leadership below Deno is very strong. Many of them have been here even before Deno joined us, and they are very connected, dedicated to the mission. And so I look forward to continuing to do that. I think on the product side, we have great leaders with our CTO, Dilip Bhatwani, as well as our SVP of product management. Both have been here for over 10 years and really driving working with me, the execution that is needed on the product side, again, aligning to our vision of delivering capabilities like MROC, which will encourage our partners to do more with us, not just from the GTM side as well, but also from the product side. So again, for us now, it is really more about finding the right leader who understands our partner focus and will be leaders who will be working with us on making sure that we're not necessarily focusing on the direct side of growing the business, but more around focusing on how do we pivot our partner focus and make sure that all the different aspects of the business are going in that direction.

Makes sense. You definitely have a deep bench. Thanks for the time.

Thank you. One moment for our next question. Our next question comes from the line of Matthew Heberg from RBC Capital Markets.

Hey, guys. This is Mike Richards on for Matt. Thanks for taking the question here. Maybe I want to go back to Dino's departure and appreciating that. you know, you probably already had your sales kickoff here and, you know, you had a plan for the year, but what are some of the changes that maybe we could expect or that, you know, think could really improve the sales motion this year, you know, given his exit and, you know, you taking the reins here?

Yeah, we really finished our planning for 25 towards the end of last year and now it is about executing on the sales goals with our you know, SACE head that's helping essentially manage a SACE team globally, SVP of product, SVP of partnerships, and then our VP of sales ops and enablement. And so as I talked a little bit about this and we saw the release of MROC, which is our partner-focused managed services platform, as well as really focusing on working with our partners on how do we increase the deal regs, how do we leverage essentially our margin to make sure that we are able to balance bringing customers to these partners, but also how these partners can actually create revenue for themselves with services that they can anchor around the Qualys platform with consolidation of multiple different capabilities with risk quantification, remediation, etc. And so For us, really focusing on the pillars of how are we going to make sure that we, you know, last year, as we said, our focus was partner-led for new business. We started end of last year, and this is our key execution this year is how do we also work on our existing business, which has direct customers, too. leverage that relationship with our partners to potentially bring them some of our direct customers while working with them on a partnership where they bring us new logos so that we can execute towards creating more opportunities for ourselves. So there are multiple different things that we're focusing on that. as well as focus on our federal business, which is something that we are excited about the potential opportunity. So we'll continue to execute on that aspect as well, because our current contribution to the business from federal is extremely small. And so there continues to be a much larger opportunity there. So it's really about how do we pivot our execution, which has been a mix of of direct and indirect to reduce the friction that is there and then build the confidence with our partners by not only giving them that confidence of the business we can bring them that is direct with us, but also giving them a potentially significant revenue stream by adding services around the managed rock capability, which we are seeing a lot of global enterprises gravitate towards, given that it adds a layer on top of their existing tools as well.

Great. And then I just want to ask on Total AI, I mean, it seems like there's such a big opportunity there. So, you know, maybe stepping back, you know, has there been any early customer feedback on Total AI? How are you thinking about it in terms of a growth driver for next year, or maybe just picking up steam? And then, you know, I know it's all greenfield, but who else are you seeing when you're going in and talking about Total AI? Is there anyone else

know kind of doing what you're doing here or you know uh anything else on just competitive dynamics there great question i i think if you look at the journey of ai itself over the last couple of years i i think 23 a lot of people started looking at that in 24 lots of pocs uh they took place in many companies around leveraging llms and then as we go get into 25 we are going to start to see deployment of more and more AI LLMs into actual production environments. We saw a little bit of that starting to happen at the end of Q4. And so the questions from customers really are about what are the things that they can do to secure their AI workloads and you know the first question we ask is well how many do you have and they cannot even answer that and so in that sense the total AI capability and you probably saw a recent blog we pointed our quality to deep seek and found a whole bunch of issues and it's really about helping customers get a that level of comfort that whatever they are putting out in the production environment is not something that could be jailbroken, is not something that is leaking information that it should not. It is following compliance guidelines as well as detecting vulnerabilities in this. And so in that sense, the way we see it is Total AI is fairly unique because we are actually able to leverage our existing footprint in the customer environment to first help discover their AI workload so they don't have to deploy another solution to discover AI in the first place. And then once we discover those AI workloads, we're actually able to scan them using the scanner, the agent that they already have from Qualys and then provide them that visibility. Early feedback has been very good. In fact, in our strategic advisory board, when we asked our strategic advisory board CISOs to pick the area that is top of mind for them for 25, AI security came up the most. So we look forward to those engagements turning into paid opportunities. However, CISOs are also going through this right now, trying to figure out How are they going to pay for this? Where does that come from? Do they get additional budget? Are they going to get additional budget for security? Are they going to move some of the money around from their existing budget given their overall increase in cyber spend is not that significant? We don't anticipate it to be that significant. So I think right now it's a little bit early for us to know what kind of impact it is going to have. But the opportunities that we are starting to see build up are definitely encouraging and positive. And in that sense, that the way we are scanning AI, we feel that it's pretty unique. And that's the feedback that we're getting from customers is this is a great way because they look at it as like the gates at immigration, right? Like the security will scan that LLM before it goes into production and then give a thumbs up or a thumbs down so that they can go back and see it. And again, if you want to see the kind of things that our scanner is able to detect. You can read our blog around and when we pointed it to DeepSeq, what are the things that we found around that. So we're excited about that. We just don't know right now and monitor really how that opportunity is going to evolve. And yes, it is greenfield, but also depends on how much additional budget CISOs will be able to get from their CFOs this year versus next year in terms of investing more in AI security. And we expect that to start this year and have a gradual ramp into next couple of years.

Great. Thanks again. Congrats.

Thank you.

Thank you. One moment for our next question. Our next question comes from the line of Rudy Kessinger from DA Davidson.

Hey, thanks for taking my questions. You know, the last two quarters now, you guys have had pretty good outperformance on both revenue and current calculated billings. I guess just particularly in Q4, just what relative to your guidance and expectations, what came in specifically better than expected? I know you said you had a weaker Q4 pipeline going into the quarter, but again, pretty strong revenue, current calculated billions in the quarter. And then just as I look at the guidance for Q1 and next year, it doesn't seem like, you know, you're really expecting that to continue, particularly in Q1 with the revenue decline expected. So I don't know, was there anything maybe one time in Q4 that drove the upside? Or I'm just trying to put together the strength in Q4 and Q3, but not really seeing that continue in the guidance that you're providing.

Yeah, the second half of 2024, current billings, if you're taking a look at that, it was higher than the bookings performance, partly due to the invoicing cycle. But if you take a look at the revenue in Q4 in particular, we did have better linearity, a little bit better on the renewal in terms of how the deals closed in the quarter that did have an impact on the revenue that we booked in Q4. Looking into Q1, one of the reasons why Q1 looks a little bit light is because, I mean, we're not taking into any consideration from the late renewal slippage into Q1, and then plus the fact that the number of days in Q1 is lower by two relative to Q4. And then looking at the full year, one of the assumptions that we've kind of made was If you take a look at our net dollar expansion rate, currently at 103%, which is great from the perspective of it's stabilized. However, if you take a look at a year before or even two years ago, it's down. So taking that into consideration, looking at the trajectory of the business, we are assuming no improvement in net dollar expansion rate going into 2025. And then also the fact that we are taking that partner-first approach. Which means that with the partner business currently making up 48% of revenue in Q4 relative to 44% a year ago, we are expecting that trend to continue into 2025, which could have a shorter-term negative impact in the growth.

Okay, and on the new logo front, I know for the first several quarters in 24, you've caught out, I think, double-digit year of your growth in new logo bookings. I know Q4 was a tougher comp, but where did that land in Q4? And I know you're keeping that expectation on DBN ER to remain steady 103. Like, what is your expectation then on new logo bookings growth in 2025? It would seem to be it's expected to be weaker growth than 24.

Yeah, that is the assumption that we're making right now because in Q4, like last quarter earnings, we had called out the fact that Q4 looked to be a little bit light from the new bookings perspective. And it actually did turn out to be that. We were a little bit disappointed with the new booking performance and then the amount that it added to the revenue growth rate. So we're kind of assuming that it will continue on that path into 2025 where we're not expecting meaningful growth in the new business, especially particularly just because we are more focused on landing new logos through our partners. So we'll be working with them very closely to see what kind of incentives that we can offer them so that they can really go out into the market and help us to get new customers in.

Okay, that's all very helpful. Thank you.

Thank you. One moment for our next question. Our next question comes from the line of Srenik Kotari from Baird. Srenik, your line is now open. Please check your mute button. Again, Srenik, your line is open. Please go ahead. One moment for our next question. Our next question comes from the line of Josh Tilton from Wolf Research.

This is a marquee take on for Josh Tilton. Just one quick question. We've heard several vendors talk about conservatism related to the federal vertical and the administration change. And we just wanted to ask, how are you thinking about that for the coming year in terms of potential opportunity and how it's factored into the guidance next?

Yeah, we're super excited about the opportunity, right? And I think what exactly the administration will do on a day-to-day basis, I think your guess is as good as mine right now with all the things that are changing. However, I think the narrative from the new administration has definitely been about not doing things the old way and really bringing more efficiency in everything that the federal government is doing. And so that we look at that as opportunities for us because Many federal agencies for many years have been using on-prem vulnerability assessment capabilities that are arcane, that are costly to maintain, need a lot of hardware, need a lot of people. And so as we await our FedRAMP High certification, which will then make our platform as one of the only FedRAMP High platforms that does vulnerability management, patch management, EDR, risk management, all in a single platform. We are excited about the potential opportunities that it can bring. We continue to invest in our federal team. That is one of the things we're focusing on this year, focusing GTM, growing the team as well on the federal side. And with that, and just a little bit hard right now to know when we will get that FedRAMP high certification this year with administration changes, but we are hopeful for that. And once we get that, that can open up quite a bit of opportunities for us, but hard to tell right now what impact it will have on 2025. So we're not factoring that anything majorly in it right now. Overall, given the narrative of being able to bring efficiencies and being able to modernize infrastructure and moving in a more positive direction, we think we're well-suited to capitalize on that versus older on-prem solutions that have been incumbent there for a while.

Awesome. Thanks so much. Congrats.

Thank you. One moment for our next question. Our next question comes from the line of Yon Kim from Loop Capital Markets.

Okay, great. Thank you. Uh, quick question on the enterprise true risk management or ETM. Uh, it seems like that's a clear differentiator for you guys out there. And it's definitely something, uh, that at least I'm keeping an eye on. Uh, if you can just talk about the, um, you know, the overall go-to-market motion around ETM, the competitive landscape and, uh, Obviously, you're heavily leveraging the channel this year. Is this a product that could be leveraging to the channel, not just direct? Thanks.

Yeah, that's a really good question, especially if you look at right now, we believe we don't see any other solution in that space that is as comprehensive as ours because you have some aggregation solutions that are very focused on vulnerability aggregation, but they don't do risk quantification. There are some that do some risk quantification, but they don't do the aggregation part as well. And definitely, we don't see anybody who's kind of doing that also doing a good job at remediation. And so if you look at the Qualys ETM platform and the concept of the risk operation center, which a lot of our CISOs are super excited about because they don't want to go to the board for next year's strategy and say that they just want to implement another solution for multi-factor authentication as their strategy. They want to be able to say we're building out a risk operation center just like 10 years ago we built our security operation center for threat detection. We want to do proactive risk management and the ETM platform enables bringing out a risk operation center And that's why, because it provides the risk quantification, it provides the ability for a CISO to be able to have a conversation. Today they say we fixed so many things and we had so many issues, but that doesn't mean anything to the business. ETM allows them to go out and be able to say, look, our $500 million business has a potential loss of $10 million a day. And currently based on risk signals from multiple different products, the possibility of that happening is high. And if we invest $500,000, we can bring that risk down to an acceptable level. And so now it is a much better conversation that the CISOs can have with the CFOs to say, look, we can invest $500,000 in this particular area of cybersecurity, and it will bring down the potential of losing $10 million a day by 80%. that's a much better conversation is how they look at it and that's the feedback that we have gotten and we don't see other platforms out there right now that are really enabling that. I think the GTM definitely evolves for us this year as ETM comes out because now It's less about a replacement conversation about your existing vulnerability management solutions so our new business sellers can really go out there and say, that's okay, you can keep the current solutions that you have if you have this cloud provider and that vulnerability provider and that identity provider. We are not here to have an immediate replacement conversation. We can easily take the data from all of them and we can show you a consolidated view of the risk coming from all these existing solutions, which makes it a little bit easier for the CISO not to have to go for a fight with their internal teams to replace a tool that is already working well for them just because they're getting some additional potential discount. So it essentially means our new business sellers, any customer that has any cybersecurity tool set becomes a potential customer for us for acquiring new logos. and doesn't have to take that long as it would if you're replacing another solution. Our post-sales team, they get an opportunity for existing customers that might have some other solutions for cloud security for EDR to then go and layer that on top. And we already had one customer that has a well-known cloud security provider just for the cloud estate, but then they are purchasing the ETM capability, paying us additional revenue on top of what they're paying the cloud provider consolidate those findings into one right so it gives us the opportunity to make revenue on top of any investment that the customer might have made in another tools as well but also from a partner perspective you know i mean as we work with partners of course the partners have been selling our competitor solutions for a certain margin, and you can give them a little bit more margin here or there, but that doesn't move the needle as much. However, many of the providers who are resellers, et cetera, are moving to figuring out how they can increase revenue significantly with managed services, because services is where they can make a lot of business. Today with the deployment of ETM, where really the largest customers are actually the ones who are looking at deployment, they need services around that, and services for risk quantification, service for aggregation, service for risk monitoring, service for risk elimination, and these are brand new services. So these partners today are in the MDR market, which is a cutthroat market, and the MDR service is provided by many people. but the reason why partners are excited and can potentially bring even more business to Qualys because every business of purchasing Qualys products that they bring can add additional services for them on top of Qualys that they can generate revenue on. And so that is where a key part of what we are doing. And, You saw the release that we did with MROC is really about enabling ETM to be delivered to our partners for the most part so that partners are excited about larger deals, bringing those to us, and also they don't have to constantly get in the conversations of replacing tools to make additional revenue. a little bit of a longer answer, but it's something that is definitely an interesting way for us to tweak our GTM and have less replacement conversations and more about consolidation and letting them use the existing tool set that they have. Because honestly, when we talk to CISOs, very few of them, if at all, are actually thinking that they're going to replace all of their tools with a single vendor.

Wow. I can tell that you're very excited about the opportunity around ETM. Yes. Just another question around the investments that you're making around the indirect channels. You already talked about the opportunity around MSSPs, but what about the hyperscalers and CSPs? Is this something that could be also deployed on the cloud environment as well, meaning the CSP environment?

Yeah, for sure. I think today, if you look at... you know, you can have this cloud security solution that is either provided by the CSP or is provided by, you know, one of the cloud-only solutions. But, you know, when I ask CISOs, I say, okay, that's great. So now you know you have 75 buckets that are open, but how does that impact your business? Do you know how much you'll stand to lose because of these budgets open? And they cannot answer that question because a lot of times the risk may not be in the cloud directly, but the risk might be coming from malware that is on the laptop of the admin who is looking to access that particular cloud account and a cloud only provider cannot pick that up but then an EDR provider will pick up the risk how do you tie these two things together and that's where something like EDM can be useful and as our larger customers you know they are working with different cloud providers and they have EDP credits with different cloud providers and they can leverage those We continue to work with them to find ways that we can essentially map customers that have other tools but can actually use their credits to purchase things like ETM as well or working with partners who can then transact through some of these cloud providers for their credits. So I think those are also opportunities that we are continuing to explore. We recently had a conversation with a cloud provider exactly around that, and so that's an area that we continue to push forward this year as well.

Okay, great. Thanks, and good luck with the ETM this year. We wish you the best around that.

Thank you very much.

Thank you. One moment for our next question. Our next question comes from the line of Jonathan Ho from William Blair.

Hi, good afternoon, and congrats on the strong results. I just wanted to understand sort of relative to your guidance how we should be thinking about the level of investments that you're making this year and maybe where you see the most opportunity to leverage that either relative to your go-to-market comments or on the product side. Thank you.

I think for us, we continue to evolve the product, and so there are opportunities for us to work with our partners on things like MROG, but I think our focus continues to be on GTM investments. That's where we see where, again, tracking returns, seeing the success we're seeing with partners. And so it's really going to be about how do we continue to find ways with our partners to invest in GTM, but pivot more towards working with partners to bring them business so that they can bring this business, doing co-marketing, joint marketing, etc., investing in roadshows around MROC, et cetera, and then investments in the federal business, which is something that we want to continue to do. So those are essentially the areas that we are looking to do. I think the product development area is something that we do well and we do very efficiently as well, and so we will continue to add capabilities there. And, of course, there will be certain investments in solution architects and the functions around MROC to surround the sales team with success for being able to go out and do POCs around ETM, et cetera. But that's really how I see where we're going to be continuing our investment and not necessarily so much on engineering and product increases.

Got it. Got it. And just as a quick follow-up, I mean, I think we've seen a lot of emphasis around true risk and total cloud in our conversations. How do you think about this approach of selling on the bundling side and potentially what that uplift looks like from a revenue standpoint? Maybe not immediately, but over time. And how do we think of that, especially along the axis of adding additional product versus adding additional assets? Thank you.

Yeah, we are actually excited at the opportunity. We see that as ETM, which is, ETM becomes a layer on top of the different cybersecurity capabilities that the company has, and ETM becomes the layer through which the CISOs really interact with the platform. And so the way we see that is that those who want to adopt ETM the platform play becomes actually quite interesting because now for ETM, they can actually adopt inventory, they can adopt vulnerability management, cloud security, some of these modules from Qualys as they need, and then also bring data from other third parties as well. And so as we get feedback from our customers, we do see that ETM can allow us more conversations around well, here's a platform that is going to essentially pull in the basic things that you need for your initial risk management, and then you can layer on by using additional spend for third-party data coming in. And as we learn through these conversations with our initial customers, I think that is going to inform later this year on how we come up with the packaging and bundling around ATM that includes multiple Qualys modules. Today, we are already seeing conversations with our existing customers where they are actually looking to buy additional Qualys modules just because they integrate into a singular score, right? That's the idea is that instead of getting all these big lists and when I talk to CISOs and ask them what is the risk posture view today, they show me 10 different dashboards from 10 different tools, but that doesn't say anything about how much risk a particular entity in their environment has because it's every single tool is reporting a different set of findings. So true risk anchors to say, well, why should I buy AppSec from Qualys versus somebody else? Because the Qualys AppSec is already built into the platform and there is no additional cost right now to use that within ETM. So it's like you can bring AppSec data from a third party if you would like. So we're open to that, but then they pay for the data ingestion, or if they use the Qualys module, which we already have, then they don't have to pay for the ATM ingestion license as an example, and that is an incentive potentially for them. So as we roll this out, we will get feedback from customers and see how that increases our attach rate for additional products, and then how do we come up with the pricing that allows them to adopt more capabilities as part of ETM without having to create purchase orders every time they want to try something new. So in a way, how do we find a way to give them access to bundle or at least to have access to multiple capabilities from Qualys with the spend that they have with us. So these are things that we are working through right now and that we are excited about getting feedback from our customers and that should inform how we roll out bundling and pricing at some point later this year.

Excellent. Thank you.

Thank you. One moment for our next question. Our next question comes from the line of Brian Essex from JPM.

Hello, Bidik on for Brian Essex. Quick question. I guess You've now provided your revenue guidance for the year. How should we think about billings, especially with the strong billings that you had the last two quarter? Should it follow a similar trajectory to what you provided for revenue guidance? And overall, how should we think of it going throughout the year? Thanks.

Yeah, for current billions, we ended the year at 9% and total revenue growth rate of 10% for 2024. I would just say for now, since we don't provide current billions guidance, you can assume the same current billions growth rate in 2025 as a revenue guidance, which is 16.

Got it. Thanks. And I guess a quick follow-up. Can you help me understand, like, what do you think still needs to happen in the – in the channel to see investments translate to top line growth. I know like overall investments in the channel can be a lagging effect versus just investing in direct. Like at what point do you think you've, you've invested what you need to do? Is it just that you need to continue with product knowledge overall is what still needs to happen? Thanks.

Yeah, I know this is a multi-year program that we launched a couple of years ago and, you know, initially was just, repairing our relationship with partners and bringing building confidence and uh getting initial deal register we evolved that strategy into going fully um you know new business partner first which which was sort of the next step this year we are focusing on uh working to see how we can take some of our direct customers to the partners and have them bring us additional um net new logos for Having this partnership, the next evolution of that is the margins and the percentages are fine, but how can we help them make $10 of services revenue on top of a dollar of product revenue potentially, right? That's where the evolution of MROC is. And so I think internally, of course, we continue to track our deal registers. We continue to track our win rates with partners. It is pretty clear that we're having good success with our strategy so far. And so now it is about pivoting towards that. And, you know, I think we have done a pretty good job of going from 60-40 down to a 50-48 split while reasonably maintaining our margin. And so I think that's a testament to the way that we are thoughtfully tracking our investments and working with our partners. So we continue to work with our partners and continue to improve our deal with partners, and part of that is we're doing a lot of investment, spending time with the SKOs, providing them opportunities for upsells with collateral and material, and then also a lot of training that we are doing with these partners so they become aware of the QALYS capabilities and how to pitch some of the QALYS capabilities so that those are all areas that we have been investing in and we continue to invest in.

Thanks for taking the question. Thank you. One moment for our next question. Our next question comes from the line of Hamza Faderwala from Morgan Stanley.

Hi, this is for Hamza. Thank you for taking my question, and congrats on a solid result in the quarter.

Going back to guidance, You know, last quarter, you noted expectations for ongoing budget scrutiny to proceed going forward. Today, you're expecting NRR to sustain at around 103%. And if I heard correctly earlier, you noted expectations for, you know, near-term potential adjustments to guide to incorporate the CRO transition. So, you know, can you help us bring all that together? And how should we think about the level of conservatism to guide? Thank you.

Yeah, I think our guidance for this year takes into consideration all the points that you just laid out. I think that the biggest growth drivers in our business is still our existing customers. So if you take a look at our net dollar expansion rate, having ticked down consistently for the last couple of years, because of where we ended in 2024 at 103, we're assuming no improvement to that 103% entering 2025. And given the light new bookings, performance in Q4, and we're assuming that we'll kind of continue into 2025, that's informed our guidance of 6% to 8%. And this is what we see today, and we thought it was prudent for us to guide based on what we see today versus, you know, like Sumedh talked about, there's a lot of opportunities in the business and upside within your products, like ATM, working very closely with partners to drive new local lands as well as expand. But again, that's the timing of realizing that and recognizing into revenue is a little bit uncertain.

Got it. Very helpful. Thank you very much. That's it for me.

Thank you. At this time, this concludes today's conference call. Thank you for participating. You may now disconnect.