Qualys, Inc.

day and thank you for standing by. Welcome to the QALYS third quarter 2025 investor call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-answer session. To ask a question during the session, you will need to press star 1-1 on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star 1-1 again. Please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Thank you, Brianna. Good afternoon, and welcome to QALYS' third quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakkar, our president and CEO, and Jimmy Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements, and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC. including our latest form 10Q and 10K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. The reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release prepared remarks and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Saman.

Thanks, Blair, and welcome to our third quarter earnings call. With third actors continuing to reduce time to explore at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management, using agentic AI-powered proactive risk management with business quantification and automated remediation. Against this backdrop, we continue to execute well in Q3, demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I've had the privilege of meeting with hundreds of CISOs, CIOs, and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best of breed where it makes sense. They want to seamlessly unify their security toolset into a centralized risk fabric that provides an alternative to single-vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate, and ultimately remediate the organization's risk posture. The Risk Operations Center ROC, powered by Qualys ETM, delivers on this ask. At our recently concluded ROCCON Risk Operations Conference in Houston, where we elevated the business risk conversation To feature a specialized CFO and board track, our customers validated this approach. With the broadening of the agenda for ROCCOM, the attendance was up 20% over last year's QSC event. While traditional security operations centers focused on detecting breaches after they happened, Qualys is pioneering the first agentic AI risk operations center, ROCC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business. Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and correlates intelligence from both qualis and non-qualis sources, and equips AI and humans to collaborate in real-time, detecting and responding to threats at machine speed. This isn't about more alerts. It's about actions that close blind spots before attackers can exploit them. Unlike traditional continuous threat exposure management CTEM tools that simply highlight the exposure but lack adequate native remediation capabilities, our differentiated ETM solution combines CRQ, CTEM, and native remediation operations to fix the risks that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that boards and customers value. Early adoption is already validating the model, with POCs continuing to convert to commercial deployments, underscoring both the scale of this opportunity and its parallels to the early days of VMDR. And we're not stopping there. Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven module native capabilities into ETM, empowering organizations to harness them seamlessly across the entire attack surface. By democratizing trillions of security exposures from both Qualys and third-party tools, including vulnerabilities, misconfigurations, and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys through its framework our true-length threat management capabilities, and a mission-ready agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration. This unique combination of capabilities identifies trending threats in real time, benchmarks the risk against peers, assesses organizational impact, and quantifies risk in clear, actionable terms that matter most to the business. As a result, security and IT teams can continuously prioritize ticket and remediate threats based on organizational risks associated with emerging exposure targeting specific industries, asset types, and identities. We believe these most recent additions to our ETM solution further advance our differentiation in the market, enhance security operations, and significantly accelerate measurable outcomes for customers. Next up for our ETM solution, I'm particularly excited about yet another pioneering capability from Qualys, TrueConfirm. TrueConfirm flexes the power of our platform to confirm exploitability before customers become compromised. Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step which is automated remediation with TrueRisk Eliminate. Our industry-leading capabilities are increasingly being recognized by our customers, partners, and third-party analysts. Specifically, at Black Hat, Qualys won two Pawnee Awards for our outstanding contribution to threat research underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOM recognized Qualys as the leader in patch management, a market Qualys pioneered with over 140 million patches deployed in the last year alone. While some competitors are only beginning to validate the strategy, Qualys has advanced well beyond patching. True risk eliminate closes the unpatchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage, and opens new market opportunities for Qualys. Moving on to our business update. With customers spending $500,000 or more, with us growing 5% from a year ago to $211, Let me share a couple of recent wins, which illustrate why organizations ready to centralize their response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environments, and fortify their security operations. In Q3, one of my favorite wins was with a Global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations, were buried under fragmented telemetry manuals, spreadsheets, and disconnected tools. With little automation, their teams were spending more time documenting than reducing risk and consequently were burdened by an onslaught of compliance audits. This customer chose Qualys to transform siloed risk signals spanning code repositories, endpoints, identity, cloud container, and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data. This included replacing their existing vulnerability management vendor and purchasing three additional Qualys modules, including ETM, to begin operationalizing the risk operation center with ingested third-party data resulting in a mid-six-figure annual booking sub-sell. By consolidating these data sources into Qualys platform, we are delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization, and remediation, while unleashing the operational efficiencies of security stack consolidation aligned with acceptable risk parameters for the business. With our innovative technology, unmatched platform effect and focus on reducing risk and friction, this will underscore Squalus' ability to eclipse legacy siloed solutions and advance our leadership in the industry. It's also an outstanding example of how we are working with our managed risk operation MROC partners of choice to activate the ROC with new wind business. For the next phase, this customer is evaluating our total cloud native CNAP solution and through this eliminate solutions while also bringing additional third party tools into Qualys platform representing a significant upsell opportunity. Further leveraging our MROC partner ecosystem to drive new logos was a new six-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TrueRisk Eliminate. Nearly nine months after announcing GA with our ETM solution and over 28 POCs converting to commercial success already, we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100%. now that ETM will include cybersecurity asset management, as well as other ETM feature enhancements, such as those mentioned earlier, and third-party data ingestion. Given this, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management, LTM bookings, to ETM customer penetration, as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years. Turning to our federal business, we achieved a high six-figure upsell with an existing large government agency This customer has previously used multiple legacy and next-gen tools to manage a variety of risk management use cases across their security IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the efficiencies of operating siloed systems, and elongated remediation efforts. With a distinct need to shift several monolithic workloads to micro-application across its hybrid environment on a FedRAMP high solution. This customer accelerated the consolidation of its security stack over 17 Qualys modules, including VMDR, cybersecurity asset management, TotalAppSec, TotalCloud, TrueRisk, Eliminate, and TotalAI. Today, this customer is leveraging a unified dashboard that provides them with a greater insight in automation than any of the competitive products they evaluated, while taking full advantage of the speed and scale of cloud-native platforms. This alongside a significant seven-figure state win are a testament to the strength we see in our federal, state, and local government business and the long-term growth potential of the market. Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3, partner-led deal registration increased, demonstrating the success of our partner-first sales motion. In addition, we have now certified nearly a dozen partners who are actively launching MROC services, leveraging ETM, to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance, and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their MROC partner of choice. Further contributing to our platform growth is our flexible platform pricing model, which we are calling QFlex. We beta tested QFlex in Q3 to help customers accelerate and maximize the adoption of the Qualys enterprise risk platform. In less than a quarter after introducing this model, we're seeing notable customer interest and tremendous success. To give you an example, an existing Global 10 customer made a multi-year commitment under our QFlex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This one reflects our growing capabilities in risk management and we expect the contribution from QFlex to continue to grow. Our continuous innovation, early ROC deployments, strategic wins with federal, customer, and state agencies, momentum in partner-led initiatives, and the initial adoption of QFLEX collectively underscore Qualys' strength in unifying risk management workflows, reducing operational complexity for customers, and addressing today's toughest security challenges. We believe these achievements not only validate our ongoing investments, but also position Qualys as a trusted leader in pre-breach cyber risk management setting the stage for durable growth and long-term success. With that, I will turn the call over to Jumi to further discuss our third quarter results and look for the fourth quarter and full year 2025.

Thanks, Saman, and good afternoon. Before I start, I'd like to note that except for revenues, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to third quarter results, Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues, compared to 47% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By GEO, 15% growth outside the US was ahead of our domestic business, which grew 7%. US and international revenue mix was 56% and 44% respectively. In Q3, growth retention continued to improve. However, upsells remain challenging with our net dollar expansion rate at 104%, unchanged from last quarter. In terms of product contribution to booking, Hatch management and cybersecurity asset management combined made up 17% of total bookings and 28% of new bookings on an LTN basis. Our cloud security solutions, total cloud CNAP, made up 5% of LTN bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was 82.6 million. representing a 49% margin compared to a 45% margin a year ago. Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which result in an EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient, while continuing to innovate and invest to support our long-term growth initiatives. With this strong performance, EPS for the third quarter of 2025 grew 19% to 1.86. Our quarterly free cash flow was 89.5 million, representing a 53% margin compared to 37% in the prior year. Here today, free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continue to invest the cash we generated from operations back into quality, including $901,000 in capital expenditures and $49.4 million to repurchase $366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, We've repurchased 10.4 million shares and returned 1.2 billion in cash to shareholders. As of the end of the quarter, we have 205 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2025, we expect revenues to be in the range of 665.8 to 667.8 million, which represents a growth rate of 10%. This compares to prior guidance of 656 to 652 million. For the fourth quarter of 2025, we expect revenues to be in the range of 172 to 174 million, representing a growth rate of 8 to 9%. While we believe our platform approach to cyber risk management provides some insulation in this macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance, we expect full-year 2025 EBITDA margin in the mid to high 40s, monthly cash flow margin in the low 40s. We expect full-year EPS to be in the range of 6.93 to 7, a prior range of 6.2 to 6.5. For the fourth quarter of 2025, we expect EPS to be in the range of 1.73 to 1.8. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 to $7 million, and for the fourth quarter of 2025, in the range of $1.2 to $2.7 million. With that, Sumedh and I will be happy to answer any of your questions.

Thank you. At this time, we will conduct the question and answer session. Please stand by while we compile the Q&A roster. Our first question comes from Roger Boyd of UBS. Your line is now open.

Awesome. Thanks for taking the questions, and congrats on a nice quarter. Sumed, can you just double-click on some of the pricing you mentioned around ETM earlier? I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch? And just now with the kind of packaging sort of figured out on that product, just your confidence and kind of the ability to start driving better upsell moving forward. Thanks.

Yeah, that's a great question. So from the way the pricing we're looking at it is the ATM pricing is going to include cybersecurity asset management because as we talk to our customers, you know, for building any risk operation center, the foundation is asset inventory. And without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody's being asked about how they're optimizing their spend even in cyber. And the ability to have very focused threat intel that will allow them to validate exploits. So that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory, to be able to confirm that the exploit can work in their environment, Then they purchase True Risk Eliminate, which includes patch as an example and mitigation, so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus one day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things, even if you don't have a patch available. The pricing, to answer your question, is up to 100% is what we see with the addition of VMDR ability to bring in CSAM, agentic AI, as well as ability to conform exploitation. And then from there, the upsell will be they will pick an upsell to eliminate so that it allows them to do more in terms of actually getting an outcome.

Really helpful. Thanks for the call.

Thank you.

Our next question is from Patrick Colville of Scotiabank. Your line is now open.

Thanks for taking my question, guys. I guess I want to ask two parts. One is on the Fed. I know the Fed is like a more nascent notion for Qualys, but what are you guys seeing in the Fed, especially in the first couple of weeks of 4Q, given the shutdown? And then the other question I'd like to ask is about the competitive environment. And the reason I ask this one is it's the one we get most from investors. And it's like, is the competitive environment changing for Corliss given noise from vendors like CrowdStrike and others who are, you know, claiming to be entering the space and winning shares? So are you coming up against different companies now versus a year ago? And, you know, results speak for themselves. Win rates seem high, but, you know, can you talk to that as well? Thank you.

Yeah, that's a two-part question, so let me stay focused to answer both of them. So first one is on the federal side. As you already know, we're at our very, very early innings, and we made the investment and the commitment to get FedRAMP high, which has really created very, very powerful conversations. I mean, I had the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the doge, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things. And that's where the Risk Operations Center as a way to eliminate fixing things that don't really matter to the risk has really resonated well with our federal customers. Today, it's not just the spend of the tool, it is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable. So for us, what we are seeing is, very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait and watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the risk operation center. So it's a mixed bag but overall from what we see right now is we don't have as much exposure revenue to that but we do see that this is an area that we have committed to invest over the next few years and FedRAMP was our first step and now with our focus on the conference we did in D.C. and we are going to continue to invest in the federal space moving forward. On the vulnerability management and competition side I think I was really excited to see that Qualys got the leader position in GigaOM's patch management above many of the other vendors that have been out there because really with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving, less about detecting more and more CVs, most people are barely fixing 5% of the CVs that are being discovered because it's creating so much noise. While there are other players that talk about discovering more CVs, the focus for Qualys and what we are doing with Risk Cooperation Center has been about how we are helping customers really narrow down. And we did that at our conference, Rockhorn Conference, where we showed a nice little representation of how 62 million findings after applying the right agent in threat intelligence went down to 2 million findings that really mattered in terms of any risk. further after applying business context went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from a third intel perspective, but then also how can we help them immediately fix it because if attackers are attacking things in four hours, you don't have time to go and create JIRA tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that. And so what we're doing now, what we're seeing is really an evolution of that is the customers really like our capabilities, accuracy of detection, et cetera. But we have also opened up the platform now with Rock to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs so that we can help customers actually narrow down that focus of what really matters and the key exciting thing is for them to be able to get things fixed with Qualys which is something that and you know validating the exploit and then getting it fixed with Qualys is what is focused for most of our customers right now. So primarily we see Tenable Rapid7 yes occasionally we see some of the other tools that are talking about giving more CVEs, but customers are focusing more on how do we get the key things remediated quicker rather than discovering more which they are not fixing anyway.

Thank you, Sumedh. That's super helpful.

Thank you. Our next question is from Mike Sikos of Needham. Your line is now open.

Great. Thanks for taking the questions, guys. I just want us to double check, and congrats on the quarter here. Was there any one-time benefits to revenue or CCB that we need to take into account on our side? And then secondly, as a follow-up, Jumi, great to see the results. Net dollar retention obviously remains here at 104. What needs to happen for that net dollar retention to actually start picking up from where we are today?

Thank you. Yeah. With respect to CCD, nothing specific to call out. It was a solid quarter. As usual, you do get some benefits or negative impact from out of cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from 104 and upward. And this is part of the reason why Sumet had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ATM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from, you know, whether they're looking to upsell from CSAM to ATM or cross-selling with adding ATM to their existing VMD or solution, we think that that could be a meaningful impact during that dollar expansion rate.

Thank you so much.

Thank you. Our next question is from Kingsley Crane of Canaccord Genuity. Your line is now open.

Hi, thanks for taking the question, and congrats on a really great quarter. If we think about agentic AI within the Risk Operations Center, total AI within VM, and then the CNAP suite, it all requires significant development resources. So how are you prioritizing R&D spend across those initiatives, and just what metrics do you use to evaluate resource allocation?

Thanks. Yeah, that's a great question, and I think it's really the focus for us on investment in R&D and sales and marketing, right? And so at the beginning of the year, we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, et cetera, to be able to deliver on all the capabilities that we're talking about. And I think as we have, I'm pretty happy with our focused execution with the level of investments that we have made and the way Sean, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales marketing perspective, to focus on working with Sean and team so that we can get efficiencies from what we are seeing cross-functional between our sales team, our product management team, et cetera. And then on the R&D side, we have had really good success with leveraging AI internally within our own development efforts. And as an example, pretty much stopped hiring anybody in QA anymore. We are seeing 20 to 25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit out of using AI. And so in a way, with all the things that we are doing with adding AI into the risk operation center, AI is benefiting us in adding those without significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI and of course we're going to invest back in our business, but no need really at this point for us to look at having CRO as the team is executing well-focused with what our goals are. And then on the R&D side, again, we of course, if you see the innovations that are coming out, it's a pretty rapid pace. We will of course continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or, you know, I would say unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the risk operations center, agent DKI capabilities, while internally also using agent DKI across the board, not just in R&D, but also in sales and other areas as well.

And just to add to that, we are extremely focused on making sure that we have the right team structured and the focused areas. And from a product development standpoint, we have different teams working on whether it be total AI or ETN. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint. But We are making sure that we're working across the different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Really helpful. Thank you.

Thank you. Our next question is from Srenik Kothari of Baird. Your line is now open.

Yeah, thanks for taking my question and echoing my congrats to the team. Sumit, the two questions Confirm announcement definitely sounds like a step function moving from, as you said, the risk going to automated exploit validation and at scale. Just curious, do you envision this also becoming sort of a pillar like ETM as in monetizing it standalone or do you think of it as becoming an on-ramp to move customers into broader ETM and then just With the POCs converting and all the large enterprise consolidations you talked about, how should we think about the ETM trajectory ahead? And then I'll quick follow for two minutes. Yeah.

That's a great question. And you look, I mean, I think I'll say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk, right? You know, just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have three things. You need to be able to collect data from multiple sources so you can get a broader picture of the view and you're applying threat intelligence and you're seeing some of the traditional CTEM, which has been around for many years, some of the CTEM solutions are just giving you how we consolidate the data and here it is. And so they are giving you a theoretical view of what might be exploitable in the environment But with TrueConfirm included as part of ETM, we are going a step further relative to these CTEM visibility-only platforms, giving them the ability to actually confirm, and that's included as part of ETM, it's not an additional upsell, but that helps us differentiate from the CTEM-only solutions, gives them the ability to confirm in their environment that an exploit actually works, and then, the upsell from there is really and that's kind of how we look at the beachhead for converting our customers from the mdr2 to etm is that that conversion then will allow us to upsell them to the actual eliminate capability because again like i said if attackers are looking are starting to exploit vulnerabilities you know even before patches are being made available it is really about speed and so you need to be able to quickly detect the vulnerability you need to be able to then confirm that it is exploitable in your environment rapidly, and then the next logical step has to be a automated AI-driven fix so that you can get it fixed before the attackers get there. And that's really where the risk cooperation center is not just a CTEM solution. It really is more than a CTEM solution, which is just giving you dashboards.

Got it. Super helpful. And Jimmy, very quickly, some advice about the AI driver for automated remediation and orchestration scale into The model MROC partner delivery, again, also reducing the heavy lifting internally. Just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that? Thanks.

Yeah, I think that MROC will really help us to grow the top line. Because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partners to really make sure that they're implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective customization that's required from the organizational standpoint. So with working hand-in-hand with the partners to help us to accelerate the top-line growth for us We think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that MROC professional services or additional implementation help that the customers might see will help accelerate that revenue growth and the ATM penetration.

And just to kind of add to what Jimmy said, I called that out as an example in our earnings calls where an MROC partner brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines, because they were excited about, not because of just the margin here or there, they were excited about the ability to provide high-value risk management services to their customer if they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around MROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Great. Thanks a lot so much, Rumi. Appreciate it.

Thank you. Our next question is from Junaid Siddiqui of Truist Securities. Your line is now open.

Great. Thank you for taking my question. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

I mean, I think nothing notable to call out for. I think there's good and bad at times for us to be able to show the value of the platform by ingesting data from tools that they already have can be a win instead of saying you need to do a deployment of our agents and scanners everywhere to see the value that quality brings and then the pricing can allow them to think about maybe eliminating their existing solution over a period of time. And so I think today, I think so far we are in the early days, but We're seeing, especially with the ROPCON conference that we had and the product advisory board where we had a lot of the top banks out there, I think the feedback is a lot of excitement around the Risk Operations Center as a focus area rather than just trying to do a scanner-to-scanner replacement and the time and effort it takes. This is something that they feel like is something that they can justify in terms of moving quickly. Now, of course, it is something that is new. Everybody's looking at it this year. So it is allowing them to figure out how they're going to budget. Some people have the budget now. Some people are looking at it to budget for next year's purchases. But overall, the conversation has been pretty positive. And I think the goal for us is to not only existing customers, not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in QALYS. And so we are seeing that with some of the early adopter customers. They started with bringing QALYS VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing, you know, sometimes twice as many assets into QALYS as they had before from other tools, increasing the license count for ETM. So that's kinda how we're looking at it as we progress is that it's gonna help us be much quicker in POCs and we don't have to walk away if a customer already has a competing VM scanner. We can actually just inject the data, show them the value, show them the business value and then go from there rather than doing prolonged POCs that involve deployment of agents and scanners which ultimately they see the value in that but it is sometimes just take a longer cycle. I think it's early days. We'll see how it develops, but so far in the initial engagements we have had, it's been pretty exciting and fairly quick moving. Great.

Thank you.

Thank you. Our next question is from Joshua Tilton of Wolf Research. Your line is now open.

Hey, guys. Thanks for sneaking me in, and congrats on a great quarter. I've been bouncing around a few calls tonight, so I'm actually going to ask a pretty high-level question. And my question is, we have the privilege of covering three publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rates a function of things changing within the VM market, and therefore some of you are growing faster, taking share, growing slower within VMs? Or are the delta and the growth rates because some of you have taken these broader platform plays and you have these non-VM products that are separating the growth between these three players? And if it's the latter, I guess, can you just help us understand which of the non-VM products for you were really driving the separation and growth that we're seeing at Qualys versus some of the other players? Thanks.

I would just say that some of us just have an awesome organic platform. That's why we are growing at a different pace. Right? Having said that, I think we've talked about this for a few years. VM has been changing and people are less focused on just scanning and more focused on prioritization remediation and that's why we pivoted towards, if you recall, patch management a few years ago and we got GigaOM giving us that number one spot in there. analysis for Qualys which was a great achievement for us just within four years getting the number one over established players. We're also pivoting more with ETM towards the ability to not just not only collect data from multiple tools as well as our own tools but also ability to prioritize with threat intel. We have award-winning threat intelligence so we talked about that. And then the ability for us to actually confirm the vulnerability is exploitable by exploiting it and then getting it fixed. And so what we are seeing and we have been reporting on how eliminate patch management has been growing as a percentage of our LTM bookings. And then you also talked about now that our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on um the the penetration for etm within our customer base which is elevating from vmdr to to ability to give them a broader risk operation center and then the upsell from that is going to be the eliminate capabilities to get things fixed and so um you know i i with the engagement that we have with our customers there is a big focus from customers on a business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now and organically developed platform that we have that integrates so many different things together, I think is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus You know, competitors have multiple acquisitions with multiple separate tools that don't really work with each other. And they're not able to get that kind of, in my belief, they're not able to get the kind of response that we are able to give very quickly whenever there is something going on. And that's the feedback that we have been getting from customers.

Sumed, you had me at organic platform. But maybe just a follow-up for Jumi. If I missed it, I apologize. But any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Yeah, I think that's too far because it was a very strong quarter, a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe think about it from like 2025, full year current billings growth at around 8%.

Super helpful. Thank you.

Thank you. Our next question is from Jonathan Ho of William Blair. Your line is now open.

Hi, this is Gareth Workamon for Jonathan Ho. Thanks for taking my question. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations, like including AI and new modules around VMDR and MROD versus, you know, just continuing to upsell and cross-sell your existing install base. Also, can you just talk about how customer conversations are going with your MROC solution at this point? Just what traction you're getting there. Thanks.

Sorry, I didn't get the first part of the question again. So you're asking for contributors from Google?

Yeah, like new modules and new customers versus upselling products. your existing base in your existing modules?

Yeah, look, I think every customer is a different part of the journey, so we don't really break it out by individual modules. I think we have been giving color on the contribution of Total Cloud, which is our cloud native CNAP solution. We're happy to see the progress it is making in 30 days, but it was 5% of the bookings for the quarter. And then we also have, we called out patch management and cybersecurity asset management, which has been the focus for us the last couple of years. And we're happy with the penetration there. But we're also now pivoting more towards the risk cooperation center, ETM solution that we talked about. And Our goal is going to be just like we did from VM to VMDR a few years ago, really uplevel our customers from VMDR to ETM solutions, which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which, by the way, will include cybersecurity asset management already. And then next step above all that, we'll be upselling them to the Eliminate solution to actually get things fixed. Conversations have been super positive around Risk Operations Center. As I said in the earnings clip, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just doing technical scores, and that was underscored at our ROCCON conference in Houston where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and board members and insurance companies and actually because of that we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. So the conversations with customers around risk operation center and ETM solution from Qualys has been that they really like that we're not just a CTEP solution giving them dashboards. We're actually natively fixing issues for them rapidly as well as we're giving them AI-based intelligence around the business and for their particular industry, what is the risk of ransomware? How much money could they lose? Why should they fix this particular vulnerability versus not fix another vulnerability? So it's been very positive feedback and we're excited about that. And so I think as we get into the next year, we are really putting a focus on EQM and as part of that, We have some internal promotions to align well with our go-to-market strategy there with product management and Jonathan, our CISO, also really working on helping us as a GM for our risk operation solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM. And that's where we've seen the Q1 earnings call will be starting to focus on the opportunity ahead of us in addition of course you know one of the reasons is like there's a lot of synapse solutions out there we see the resignation what is resonating with customers with our synapse solution there's not so much individual features but it is again the ability to bring the cloud risk as part of the holistic business risk and so yes other synapse solutions can tell you how many open buckets that you have after the public but if you ask them what does that mean how in dollar value loss to your company if one of them is compromised they don't have answers to that. And so our cloud security solution is actually integrated from a risk perspective to give that business quantification, and that's what the feedback that we're getting from customers. And so as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers. It's going to be continued investment for long-term in the federal market, focus on the continued innovation that we have with Illuminate capabilities, and then All of that is going to be underpinned by our work that we are doing with MROC partners, which I think is going to contribute even more to scale our business in 2026.

Thank you.

Our next question is from Joseph Gallo of Jefferies. Your line is now open.

Hi, guys. This is Annick Bauman on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

I think I'll answer the first part is, you know, we're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, that the risk operation center is part of that and business quantification. With the feedback and response that we're getting from customers, this is definitely an area that they are focusing on in all the conversations that we had with this year. I think a lot of customers see the risk operation center and the security operation center, ROC and SOC, kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on better prevention in the first place, that can reduce the number of alerts and reduce the fatigue that they see in the SOC. And people are looking to balance in the early conversations. While I don't have exact percentage right now, We will see how it evolves in next year. People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network. And a lot of that has happened in the past. And ultimately you cannot do away with one or the other. You need both so that you can practically reduce risk while having the monitoring needed if there is a compromise to block that. But there is definitely a focus on customers to prioritize the split between those because again, if they don't prioritize what they're fixing accurately, then they're asking and wasting their IT team's resources and fixing things that don't actually matter while at the end getting more alerts in their socks. So from that perspective, we are seeing conversations around the risk operation center and their exposure management is one part of that are definitely trending where customers are like in this ability to think about how much they spend in proactive risk management in terms of business risk and how much risk they will have, which is what I talk about in my keynote as well at the ROC on moving from attack surface management to risk surface management. You can spend a lot in covering your back surface, but the risk of loss was only $50,000 and you spend $500,000 to your attack surface. That's not a great business equation. So that's what we are hearing and we've seen from our customers in terms of billing. So during

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Thank you. Thank you.

Our next question is from Rudy Kessinger of DA Davidson. Your line is now open.

Hey, great. Thanks for squeezing me in here. Just a clarification on that last question, Jimmy. You said that 8% billings for this year is, quote, on track. Is Is that to imply that, you know, you think you can do 8%-ish again next year, or can you just clarify that, please?

Yeah, so right now, I mean, billions has a tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billions growth rate for Q4, given the tough compared to one year ago. In terms of next year, it's a little too early to tell in terms of 2026 what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Got it. Okay. And then, you know, you guys had some pretty decent results the last few quarters now. Growth has been stable at 10% the last four quarters, I believe, on revenue. You've got NRR stable at 104%. What, I guess, what would you need to see to maybe give you guys confidence in maybe declaring that, you know, you can deliver stable 10% plus growth over the next couple of years?

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to VMDR customer base to ETM as an area of focus, creating upsells with Eliminate on that. We continue to see a lot of interest for our cloud security solution, and I think with long-term federal opportunity that we are focusing on, we had a really good conversation with the Risk Cooperation Center on the federal side as well. I think those are the areas that we continue for short-term, medium-term, and long-term growths, which is again underpinned by our focus on MROC partnerships, but we're really laser focused next year on our VMDR conversion and the upsells with Eliminate.

Thank you.

Our next question is from Yoon Kim of Loop Capital Markets. Your line is now open.

All right, great. Congrats on a solid quarter, Sumit. On the enterprise true risk management, ETM, is that primarily a big deal sales motion or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time? Just want to get a better understanding of that 100% plus uplift commentary.

yeah i think we feel and with the early response from customers you know we feel like we can uh hold up to up to of course you know 100 of the dmdr because we're adding them uh we are providing them ai capabilities agent ki capabilities marketplace built in where they can essentially bring on a ai agent as part of their team for four weeks as they're focusing on an audit or for three weeks as they are triaging their ransomware related vulnerabilities And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers. Primarily it is VMware, CSAM, plus all the new capabilities that are highlighted are what is focused on there. Now, we also talked about QFlex, and I think a lot of this is going to go hand in hand as we start seeing scale next year. A lot of these customers who are looking to buy at ETM are also going to be interested in our eliminate platform and also be interested in cloud and so we the QFlex is what sort of we talked about is from our ability to provide them a way to try and use different call-less modules that make sense to them instead of having to go through multiple purchase cycles through the year. And we are going to see a combination of the QFLIX pricing with ETM cross-sells are the focus for us as we get into next year.

Okay, great. Looking forward to ETM adoption next year, given that it sounds like it's going to have a big impact. Just, Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you've got the performing very well. The business overall is stable. You've got this ETM kicking in starting next year. Obviously, you're very proud of your organically grown platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically. Are you tempted at all, given how dynamic the market is evolving?

We are always open to all kinds of different opportunities to look at organic, small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from we want to give our customer an organic experience with the platform. Having said that, we have done token acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently with the way we are executing, focusing, and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys as an example. Like now with ISPM Identity Solution as an example, that we have as part of ETM, we can pull an identity from Okta and AD and others, and we don't necessarily have the customer to us to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. These dynamics keep changing, and we see efficiencies coming out of AI. We're seeing ability for us to look at various players in the market, how they are doing, and we continue to stay focused on our roadmap from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or larger acquisition. We're definitely continuing to be open to that.

Okay, great. Thank you so much.

Thank you. This now concludes the question and answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect.