Qualys, Inc.

Ladies and gentlemen, thank you for standing by. Welcome to Co-ops' fourth quarter 2025 investor call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question and answer session. To ask a question during the session, you will need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised. to withdraw your question, please press star 1-1 again. Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.

Thank you, Michelle, and good afternoon, and welcome to Qualys' fourth quarter 2025 earnings call. Joining me today to discuss our results are Smith Dakar, President and CEO, and Jumi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest form 10Q and 10K. Any forward-looking statements that we make on this call are based on assumptions as of today And we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. The reconciliation of GAAP and non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Smith.

Thank you, Blair, and welcome to our fourth quarter earnings call. As threat actors continue to compress time to exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification and automated remediation to respond to the speed of these threats. Against that backdrop, we continue to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability. In my conversations with hundreds of CIOs and CISOs, as well as security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CISOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric, one that serves as a credible alternative to single vendor platforms by bringing diverse risk vectors into a prioritized measurable view of risk that the teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded ROCCON conference in Mumbai with attendance of over 30% from last year's event as we again broadened the agenda to include a business track. And with the advent of AI, which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is only intensifying. As a result, we believe that the future of pre-breach risk management belongs to vendor-agnostic agentic AI-powered solutions that continuously predict, assist, confirm, quantify, prioritize, and remediate risk across on-prem and multi-cloud environments. Over the past years, we continue to execute relentlessly towards this vision. delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently, and stay ahead of an increasingly dynamic landscape. Accordingly, in 2025, we broadly expanded the QALYS ETM platform, the third-party data, and launched a powerful new orchestration layer that unifies QALYS and non-QALYS findings, applies our industry-leading correct intelligence, and delivers a business contextual quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduce an agentic AR risk fabric that assesses and normalizes diverse internal and external data sources, applications, and machines. We extended these capabilities with a first-of-a-kind AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy, and reduce costs. To further close security gaps, we again organically enhanced ETM with a natively integrated identity security posture management solution at a time when identities have become part of the new AI perimeter. And further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional continuous threat exposure management solutions rely on a theoretical risk score and ignore mitigating security controls, ETM takes a fundamentally different approach. On a single platform, it uniquely detects vulnerabilities, validates exploitability, applies remediation, and revalidates exploit using agent AI workflow. The net result is that Qualys is redefining how organizations manage pre-risk risk management. While competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, Qualys has moved decisively beyond that model. We are pioneering the first authentic AI native risk operation center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats, spanning expert confirmation to autonomous remediation. Powered by our ETM solution, the ROC, that present a fundamental divergence from traditional CTEM tools. Competitors can point to exposures. They can't quantify cyber risk in dollar terms that matters most to the business, and they cannot adequately fix that. ETM fills that gap. This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, explore confirmation, risk quantification, and remediation operations into a single AI-powered workflow, leveraging both quality and non-quality data sources. In doing so, our architecture orchestrates and implements a perception reasoning action loop, enabling autonomous agents to collect real-time telemetry, reason through risk signals, plan response workflows, and execute actions. This enables organizations to holistically predict emerging risk across infrastructure, cloud, application security, IoT, and identity, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls, and verify the effectiveness of the remediated tactic. This end-to-end vendor neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management where customers aren't just seeing their risk holistically across the risk stack. They are validating it, quantifying it, and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, We are providing organizations with measurable proactive risk collection that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser focused on accelerating ETM adoption through our VMDR customer base and positioning Qualys for larger upsell opportunities over time. Moving to our business update, with customers spending $500,000 or more with those growing 4% from a year ago to 215, let me now share a couple of recent wins, which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify their cybersecurity stack, quantifying the immediate risk in their environment, and fortify their security operations. First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities, and limited visibility into the overall risk profile. Traditional prioritization efforts were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively. Consequently, this customer selected Qualys and launched a strategic initiative to unify their security stack by transforming silos with risk signals spanning on-prem and multicloud environment into a cohesive agentic AI native risk management solution. This included expanding the ETM deployment to further operationalize the ROC with ingested third-party data from several sources, resulting in a mid-six-figure annual bookings of . By consolidating these data sources into the Qualys platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface centralized risk assessment, quantification, prioritization, and remediation workflows while unleashing the operational efficiency of the stack consolidation. This expansion of the ROC underscores the power of our platform and reinforces Qualys' ability to unified signal, operate at an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance, and advance our leadership in the industry. Leveraging our MROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETMPOC with a global 200 company in Latin America, we secured a seven-figure annual bookings upsell, which included our and policy audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful multi-solution growth. Turning to our federal business, we achieved a mid-six-figure expansion as one of the federal government's most visible shared security services. utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues that limited resources to continuously assess risk across augmented tools and manual workflows, this customer chose Qualys for its cloud native high authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment standard output, and low operational overhead. Given the success of this deployment, we are now working towards a multi-agency ETM rollout representing a significant upsell opportunity as this shared service system prepares to operationalize its risk operation center. These results, alongside another six-figure upsell with a separate large federal agency, reinforce our ability to align technical capabilities with operational outcomes. that address modern security challenges and underscore the long-term growth opportunity in our federal business. Beyond these wins, they're also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increase again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified MROC partners actively launching new services, Momentum continues to build towards a global rock alliance fueling our capability, harnessing transformative solution sales, and bringing new business to Qualys. Further contributing to our growth profile, in Q4, we continued beta testing QFlex to help customers accelerate and maximize adoption of the Qualys ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFlex to enable select customers and partners to accelerate the adoption of WALIS solutions in 2026. In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by unifying CTEP with expert confirmation risk quantification and automated remediation powered by an agent-AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution, and initial QFLEX success. Looking ahead to 2026, we'll continue our disruptive innovation, further advance our global market investments, and execute our rock vision with a balanced approach to long-term growth and profitability. With that, I will turn the call over to Jimmy to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.

Thanks, Ned, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP. and growth rates are based on comparisons to the prior year period unless stated otherwise. We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47%, even though it's continued 14% growth in investments and sales and marketing. Net income in EPS grew 13% and 15% to $253.8 million and $7.07 per diluted share, respectively. And free cash flow reached $304.4 million, or 45% of revenues, all of which exceeded our expectations for the year. Turning to fourth quarter results, revenues grew 10% to $175.3 million. The channel continued to increase its contribution making up 51% of total revenues compared to 48% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By GEO, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 56% and 44%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year, with a low to mid single-digit growth in security spend persisting for the foreseeable future. Reflecting this sentiment, our gross dollar retention rate remained comfortably above 90%, but saw a modest sequential decline in Q4, with our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth with all three of the following increasing contribution to bookings in 2025. First, cybersecurity asset management combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9% respectively. Next, patch management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16% respectively. Lastly, Total Cloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallets. Turning to profitability, adjusted EBITDA for the fourth quarter of 2025 was 82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 increased by 11% to 68.9 million, driven by investments in sales and marketing, which grew 18%. With this strong performance, EPS for the fourth quarter of 2025 was 1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into QALYS, including $724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares, returned over 1.2 billion in cash to shareholders. As of the end of the quarter, we had 160.5 million remaining in our share repurchase program. We're pleased to announce that our board has authorized another increase of 200 million to the share repurchase program, bringing the total available amount for share repurchases to 360.5 million. With that, let us turn to guidance, starting with revenue. For the full year 2026, we expect revenues to be in the range of 717 to 725 million, which represents a growth rate of 7 to 8%. For the first quarter of 2026, we expect revenues to be in the range of 172.5 to 174.5 million, representing a growth rate of 8 to 9%. This guidance assumes no material change in our net dollar expansion rate, with moderate growth contribution from new business in 2026. Shifting to profitability guidance, for the full year 2026, we expect EBITDA margin to be in the mid-40s, implying mid-teens increase in operating expenses and free cash flow margin in the low 40s. We expect full year EPS to be in the range of 7.17 to 7.45. For the first quarter of 2026, we expect EPS to be in the range of 1.76 to 1.83. Our planned capital expenditures in 2026 are expected to be in the range of 8 to 12 million, and for the first quarter of 2026, in the range of 1.2 to 2.6 million. In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

Thank you. As a reminder, to ask a question, please press star 11 on your telephone and wait for your name to be announced. To withdraw your question, please press star 11 again. And the first question comes from Jonathan Ho with William Blair. Your line is open.

Hi, good afternoon and congratulations on the strong quarter. Can you talk a little bit more about some of your two flex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

Yeah, thank you very much. And that's a great question. So, you know, we've talked about this last quarter as well. I think if you have to, if you take that in relation to what we are doing with the Risk Cooperation Center and ETM and how we're differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerabilities, ability to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score. We're leveraging the ability to use agentic AI to confirm those exploits within the environment, which is very differentiated from what everybody does. But then after that, actually, the ability to also remediate those. And so being able to get this end-to-end very quickly, very fast, before attackers are leveraging AI to do the same for your environment, the QFLIX proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys. and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation. But then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed. And so what we're excited about is our conversations initially with the customers that have adopted this. have been very positive in the fact that, you know, the security environment is not a static environment at the beginning of the year. It is continuously changing throughout the year. And the flexibility that that pricing model offers them to actually be able to leverage different quality capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.

Got it, got it. And then just in terms of some of your comments around AI, I mean, clearly you're seeing a lot of customer interest here. Can you maybe help us understand, like, where the customer is in terms of their AI journey and also help us understand what that opportunity looks like for Qualys? So if you start selling more of these agentic products, you know, AI, you know, sort of native products, you know, how do we think about, you know, how that can impact sort of net retention going forward? Thank you.

Sure. I think a lot of people talk about, you know, AI is embedded in their platform. I think where we differentiate ourselves is that what we have done is introduce the concept of an AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years, but there's never been enough talent in the security space. So the ability to get Agent Sarah, who is an expert in patches, the ability to get Agent Val, who is an expert agent with skill sets that can autonomously make calculations and decisions on exploitation, remediation. So, the ability to say, look, I want to employ this particular agent on the platform to achieve a task, which otherwise would take me weeks and months to hire a consultant to get that outcome. What we've done with our agent AI capabilities is not only have those built into the platform, but with agent AI, we can now actually have these agents that feel like they're really part of that team and they can help you get those outcomes. And the way we have really positioned this is that customers who are leveraging VMDR, they get a really high-quality list of findings, but then as they cross-sell into ETM, they get the ability to not only do the prioritization of these vulnerabilities, but they get the agent API capabilities, which then allow them to achieve different tasks. you know, as you look at how customers are thinking of headcount, et cetera, in the agent AI world, these really help them get to those outcomes pretty quickly. And then, of course, in addition to that, with our total AI offering, we're also helping customers detect, find, and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have. And so, with that, we look forward to customers bringing more data around their own agent, around their own AI solutions into Qualys ETM. We believe that the AgilityKI capabilities are a differentiator for customers to upgrade from or to cross-sell from VMDR into ETM, as well as looking at some of the other exposure management solutions where they just give you a score. this will allow them to actually use an agent AI to get action done pretty fast and pretty quickly. And so we see that differentiation can be the catalyst for us for customers to pick ETM over some of those other exposure management solutions that are out there.

Thank you.

Thank you. And the next question will come from Kingsley Crane with Canaccord. Your line is open.

Hi, congrats on the quarter. You answered some of this in the prior response, but we'd just love to hear more about how AgentVal is elevating ETM from an advocacy perspective and just how AgentVal is reducing total man hours at the customer level and how that's resonating with customers. Thanks.

Thanks, Inslee. I wish, unfortunately, the call is only an hour, but I could talk about this forever. But look, I think we've seen the history of this evolution, you know, back when, you know, Canada somewhat with this is like everybody's giving you theoretical scores, right, based on the vulnerability findings and CVE information that is out there. Unfortunately, a theoretical score does not actually mean that a high score does not mean that the customer may not have other controls in place. that mitigate that actual exploit from working in that environment. They might have a firewall. They might have something else, memory protection that is enabled that a typical scanner or a typical exposure management solution will not pick up. What AsianVal does is leverages that decision-making, autonomous decision-making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the asset to confirm whether that vulnerability is actually exploitable in their environment, on their machine, or it is not, not just a theoretical score. And what typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these findings only to feel like, oh, this was a false positive because, look, we already have a control in place, and a lot of time is wasted in arguing back and forth. What the customers really want to be able to do is not waste their IT team's time on fixing things that actually are not exploitable in their environment. And the ability to for sure confirm by running an actual exploit in a safe manner that this is or is not exploitable means that the IT teams will be saving significant amount of time not chasing down ghost scores and will actually have a absolute confirmation that, yes, it is a very highly exploitable vulnerability, but I don't need to worry about it because I have other controls that are mitigating this, or it is highly exploitable, attackers are using it, and I don't have a protection in my environment. So, instead of just chasing scores, I can actually go and focus on fixing these, and that's going to make it a lot safer. So, it's a significant time-saving for the customer because of this agent DKI workflow. They can actually then significantly reduce the number of findings that they have. And, you know, the other thing is that once the exploit is confirmed on your environment, you don't have the time to create JIRA tickets and ServiceNow tickets to then have people go and manually make the remediation. As soon as you know that this is exploitable in your environment confirmed, you want to be able to use another agent to immediately take off remediation and get it fixed. And you feel a lot more comfortable because now you have confirmed that this is exploitable. It's not theoretical, so people are going to want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run that remediation. And, you know, you cannot show up for the AI fight today with your Jira tickets and your ServiceNow tickets. You've got to be able to do automation and autonomous decision making to get things fixed, and that's the differentiator.

Yeah, it's really exciting times, and it's good that you're leading the way here. For Jumi, it's been a remarkable year for quality. You guided at 7% at the midpoint entering last year, and you put up 10%, and now you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year? Thanks.

Yeah, 2025 was a solid year from an execution standpoint. It was a very exciting year for us with ETM having gone live at the end of 2024. We've had a significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so in doing that and working through our partners, what we were able to do is finalize our pricing and packaging for ETM. and identify our key products that are going to be levers for growth in the short term and the long term going forward as well. So 2025, solid year with closing the year with another 10% growth for revenue, which we're really pleased about. Now, when it comes to current billings, it came in line as expectations from last quarter with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billing. So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro, and then the spending environment. With that said, we do anticipate significant upside given what Sumedh just covered. We have very exciting product discussions with existing customers as well as prospects. I think that we've gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook, but with that said, the baseline still remains to be around 7% to 8%.

Thank you. And our next question will come from Rahul Chopra with Berenberg. Your line is open.

Yes, thank you. I have a couple of questions. I mean, I appreciate these are not your estimates, but if I look at 2023 market share data which you gave, at that time you had market, total market is 64 billion. In the current debt, you are talking about 53 billion market for 2026. At the same time, I can see previously you had 28 market of, I think something around 79, 78 billion. Now 29 market is 75 billion. My question here is that basically, is the core market shrinking for VM and exposure management? I appreciate these are not your estimates, but I just want to understand what you're thinking about the core estimates in terms of the market itself. What is it doing? One. The second question is, I wanted to understand your thoughts about the competitive landscape in most general, especially given the service now is acquiring Artemis. Obviously, that's going to probably change some dynamics. So I wanted to hear your thoughts on that, please. Thank you.

Sure. I think I've been in this for 20 something years and vulnerability management has definitely changed. And if you recall, they've been talking about that as the number of assets has increased, the number of CVs and software has increased. We're seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise and vulnerability management has evolved. which we have called out many times. And that's the reason the last few years we've been focusing on shifting and focusing on the solutions that customers actually are looking for. So as an example, when we innovated with patch management, personally to do that. And even today we're not seeing really much traction with others in batch management was yes, not just vulnerability management doesn't mean you just scan and scan and scan if you cannot get it fixed. And so as that evolved, we innovated, we came up with batch management as a capability, we came up with cybersecurity asset management that was needed for a successful VM program. Now we have expanded that capability with agent API with ETM, because that's really what customers are looking for is how do you continue to triage that and then adding the layer of of validation is another game changer in our mind from a vulnerability management perspective. And then along the way, we've also focused on, you know, how do we bring total cloud, which is a CNAP solution that we have, which we're very happy with the traction that we're seeing with that. We're coming up with agentic AI. So, for us, it is about how do we continue to track the areas that customers are focusing on, and then how do we maximize our share of that spend that they have. And that's what you're seeing the progression in the innovation that we are going. And it's great to see that there is a focus and attention on the CTEM exposure management marketplace, as you mentioned, the service now buying Armis, which has been around for a long time. using passive capabilities to detect asset inventory, et cetera. But the reality, again, is that today customers don't want just more vulnerability findings from these solutions that don't actually help you fix anything. And so what we are looking forward to is, again, autonomous workflows leveraging agentic AI to get customers to fix things quickly, as you saw in the recent mandate a report that the mean time to remediate over the last five years has gone from 63 days to negative one day. So today, again, with solutions like that, ServiceNow RMS and other solutions, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time exploiting your vulnerabilities? So what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business. put dollar value loss quantification numbers on it, get the validation, get the vulnerabilities fixed. And that is allowing us to differentiate. And that's where a lot of the conversations we're seeing are very positive in the focus of not just another exposure management solution, but moving towards a risk operation center. And so our goal here is that, of course, security market keeps changing, et cetera. We're bringing solutions that we are looking forward to maximizing the share of the customer spend focused on the pre-breach side of the security and not necessarily the post-breach side.

Okay, Anish. Thank you very much.

Thank you. And the next question is going to come from Nihal Chokshi with Northland Capital. Your line's open.

Yeah, thank you. And nice color there on why... the Armis acquisition by ServiceNow won't be impactful. It sounds like a key portion here is that basically they're lacking patch management. So can you dive a little bit further here and explain why patch management has remained such a differentiator for Qualys here?

Yeah, thank you. I think today if you see, right, people are finding millions and millions of finding, and the IT team does not want to be spending all their time in sort of innovating, going out and fixing so many vulnerabilities without the proper context. And so what we're seeing is that, and we talked about this a couple months ago, the Qualys agents have been able to deploy 140 million patches just in the last 12 months. And in one of the recent GigaOM reports, we replaced this with number one patch management vendor. by the analyst, and so the reason why we're getting so much traction is that in the past, you know, when I remember when I joined Qualys, scanning once a quarter and taking 30 days to fix all your issues was considered okay. Today, when the attackers are attacking you within three, four, five hours of the vulnerabilities being disclosed, you need that ability to quickly correlate, figure out that it doesn't matter to your business or that it's not exploitable in your environment. and actually get it fixed. And so our success with patch management really has been a highly integrated solution with VM and not a, you know, just a partnership where, you know, you're going out with some other separate solution and trying to bridge that gap is highly integrated solution that is quickly able to not only detect the vulnerability or find whether it is actually exploitable in your environment, but then within a matter of minutes, it can actually fix and patch that particular issue. And so what we're excited about is the success of patch management the last few couple of years, but also what we did end up last year is moved even further into providing customer more abilities to mitigate the risk of the vulnerability without patching. And I like to call it patchless patching. which is applying mitigating controls on the machine, which has given even more flexibility to our customers, because sometimes you're worried about a patch breaking something. How do you balance the worry of patch breaking something with the worry of getting exploited? And many times, because of our super deep research in the threat research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine so that the actual exploit can be blocked. So at the end of the day, what is the point of all the spend you do in vulnerability scanning is to get the right things fixed before the attackers get there. So the majority of the value that comes in that overall spend is really about the patching part. If you do not patch it, you can build all kinds of dashboards, and there's dashboard tourism going on right now, but those dashboards don't mean anything if you don't actually get it fixed before the attackers get to it. Okay, thank you.

And Jumi, are there any headwinds leading to expectation of no change in MDR in your calendar 26 guidance, that's embedded in your calendar 26 guidance?

Yeah, our guidance is assuming no material change in net dollar expansion rate. You could see that it's always kind of gone up a quarter or down a quarter in the past couple years. Right now, I've seen, starting out the year, ending 2025 at 103, we don't anticipate material change at that rate.

But why is that? Why are you expecting no change?

Our guidance is informed by what we're seeing in the pipeline today and what we're expecting based on our existing customers, what they anticipate by moreover, how they're thinking about spending more with QLIS in 2026, our preliminary discussions and view into the outlook today. implies that assuming kind of similar in-line gross dollar retention, the expectations from an upsell standpoint, and then, of course, a new business, what we expect to land from a new logo perspective, this is all informing our guidance and the way we look at things.

And that's the base case and our goal will be to continue to improve our execution on the ETM and ROC to the customers getting to know that. And that to me remains the upside for the businesses with the federal, now with our federal empire that we got and the federal space partners, et cetera. So I think that's kind of where we are with just assuming 103 as we see it right now, but do we continue to work on the upsides in the business that we can potentially have?

So does that imply that your expectations, the baseline expectations that EPM incremental penetration to install base continues at this relatively slow pace that we're not hitting an inflection point yet?

I think it's way early. So like we said at the end of the last year where we had, you know, started with POCs, we're super encouraged with what we are seeing with the POCs and the conversion that we're having. But again, it's very early, right? We're talking about, you know, customers that are early adopters. So it's encouraging, but we haven't had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better in the first couple quarters, that's where we will get to understand even better now That's where, as Julian has talked about in the past, we will start to provide guidance on how ETM is going to, how ETM is going for us, starting the Q1 earnings call for 2026. And so, that will allow you to sort of track where we're starting and then how we're going to expand through the next couple of years on that big opportunity that we see right now. Okay. Thank you.

Thank you. And our next question will come from Rudy Kessinger with DA Davidson. Your line's open.

Hey, great. Thanks for taking my question, Jimmy. I think you said in response to one of Jonathan's questions earlier, I think the baseline remains around 7% to 8%. I'm not sure if you were referring to the revenue guide for this year or if that was also your expectation for, you know, roughly what we should expect for current calculated billings for the year.

I would say that, you know, we don't give a specific guidance for current bills, but our expectation is that current billings growth rate will be more or less in line with a revenue growth rate. So, 7 to 8% for both for full year 2026.

Yeah. Okay. Got it. And then just, you know, maybe kind of a follow-up to the past question. Certainly, it sounds like there's a lot of optimism about the early EPM interest and adoption and whatnot. But at the same time, it's still just being too early to maybe, you know, drive an improvement in the net expansion rate or the overall revenue growth rate. I guess just, you know, I don't know. We've been hearing that for a few quarters now. I mean, what needs to go right, whether it's with the channel or utilizing QFlex? You know, is there potential that this year we could see enough adoption that we do see, you know, expansion rate pick up or revenue accelerate, or is that unlikely just based on the current pipeline?

Yeah, I mean, all of that needs to go right. I think we've done a lot of innovation. The products are coming out now, which is great. Asian Val is going to be very interesting for us. And the recent identity solution is also very interesting. I think a key part of our strategy definitely has been working with partners. And so, as an example, one of the key areas of focus right now where we are certifying more MROC partners is an example. and we are getting these partners up to speed and we're getting the partners trained and helping them create their offerings around the risk operation center. And the idea here really is that these partners then with those services actually can bring us net new business, can bring us upsell opportunities because they don't have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years. They can actually create a service for risk management with MROC on top of the existing VM solution as an example by pulling that data into Qualys and then ETM and then charging the customer for the management and the consolidation of their various risk factors, et cetera. So that's an area that we are looking forward to as that matures and as we're in the early days of getting those partners up to speed. Once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction. Again, early conversations have been great. We've got to see that in the way that these partners are bringing us some of their business. I think QFlex has been really a positive thing for when you're taking a customer who has VMDR and then converting over to ETM. That has actually been a really positive thing for customers so that they can kind of build in sort of certain amount of growth and they can look at the ability to take the journey of a risk operation center at that pace. And then, of course, we just got our program high end of last year. So that's allowed us to have more conversations for the 2026 budget cycle for federal that obviously were not in line in time for 2025. So, those conversations after FedRAMP high for 26-27 are also going to be quite interesting for us as potential upside. And so, I think as Juby has, you know, provided sort of the guidance that we see as of now, we're excited about some of these things that can potentially create the opportunity for us to do better than that.

Thank you. And our next question will come from Matthew Hedberg with RBC Capital. Your line's open.

Hey, guys. This is Mike Richards. I'm for Matt. Thanks for taking the question. You know, keeping it a little high level here, you know, Anthropix's new model release today put an emphasis on cybersecurity and specifically the model's performance for vulnerability discovery and patching. So I was just wondering, you know, if you could talk about what you believe these developments mean for Qualys and maybe the cybersecurity industry more broadly as model providers, you know, look to potentially go deeper into cybersecurity. Thanks.

Yeah, great question. I think today's announcement was great in terms of that understanding the fact that autonomous AI during the coding process or when you look at the code of a software and pointing to that is definitely something that the attackers are looking to leverage and they're leveraging as well. to be able to discover vulnerabilities in the code base. Now, having the ability to discover a vulnerability in an open source code is one thing, which is what on topic is helping. But once you find that this particular code has a particular vulnerability that could be exploited, you need to go find all of the machines running that software all over the customer's environment internally, externally, and then the ability to test that after all the The controls that the customer has put in place in their environment on that machine, is that actually exploitable, each individual customer's environment in each individual customer's machine? And that's the part where I think this, the entropic development actually really helps, again, stress the reason why after a particular vulnerability is discovered, an exploit is discovered, why it is important to use an ETM. agentic AI-type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously because when you're using AI to find these particular vulnerabilities and attackers are using the same model, they are going to try to do their best to very quickly exploit those. So what we feel is we are empowering our customers with ETM and with somebody like AgentVal to actually stay ahead of the gap between discovery of a vulnerability to the exploitation that we can actually leverage BPM with agent AI to then actually find this issue in their specific environment on their specific machine and then protect them very quickly by actually being able to patch that. And so that's really the main differentiator. So I think in a way it's great to show the power of what AI is able to provide for the attackers find issues in open source. And then it signifies even more the value of the ETM platform to actually find that during the runtime and not just in the code base as in topic is doing to it. Thank you.

Thank you. And the next question will come from Patrick Colville with Scotiabank. Your line is open.

Thanks. This is Joe Vandrick on for Patrick Colville. Med, can you help us understand, I know you kind of touched on this, but can you help us just better understand the strategy you're taking to get customers to adopt not just vulnerability management, but also prioritization and patch management? And then I'm wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?

Yeah, great question. I think if you kind of look at what we have been doing with patch management, by the way, and if you look at, we're very happy to see the adoption of patch management, cybersecurity, asset management as the capabilities that sort of take that vanilla VMDR and add more execution for success around those list of CVEs. We're pretty happy and excited to see that. And so today with the ability to provide customers with things like, average exposure window, the ability to provide customers the way that that particular vulnerability actually impacts their particular environment. As an example, your typical threat exposure management solutions will give you a score, a risk score, and they will say that this particular issue has a risk or this particular asset has a risk score of 900 on 1,000 and another one has a 750 on 1,000. which one will you fix first? If you just go by the risk score as an example, you're going to see that maybe that risk score of 900 on a thousand is on a machine that makes you 2 million a year, but the 750 is on one that makes you 500 million a year. Immediately your prioritization switches and is exactly the opposite of what your exposure management solution gave you because now you added a dollar value. And once you have that and you know that you're potentially going to have a loss of $500 million because of the exploit of this vulnerability. The next thing that customers want to be able to do is how quickly can I protect myself from making sure that I don't lose that $500 million. And that's where an integrated patching and integrated mitigation solution like Wallace is super impactful for them because now they don't waste time because Once attackers are starting to exploit vulnerabilities, it is just a, you know, you're sitting duck with an open window and the quicker you can close that window, the better it is going to be. And our customers are really seeing that. That's why their adoption of patch management has been increasing 140 million patches in the last one year. is quite a milestone for us. And the ability to sort of give them that visibility to say that, you know, you can with this platform, you're not just exposing your exposure, you're actually fixing it is a great story. And our partners are also excited about the ability to not just provide service around more visibility, the ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced. is a differentiator and that's kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and patch management solution, as well as awareness building around the risk cooperation center is an area for focus for us. And then along the way, risks come from cloud. They come from your standard virtual machines. They come from cloud. That's where we have vocal cloud. They come from identities. We have ISPM for that. They come from misconfigurations, and we have policy audit for that. They come from AI now, for which we have total AI as an example. So we continue to expand ways to bring more assets into ETM. At the same time, we continue to innovate on ways to absolutely get to the final outcome of actually reducing risk with automation and agent decay as fast as you can. And that honestly is really, in my mind, a big differentiator.

That makes sense. And if I could sneak in one more, I think you mentioned that you're still in beta testing for QFlex and that you're going to leverage it for select partners. Is that just timing or are you not planning to go customer-wide with that pricing model?

Yeah, we went beta with Q-Flux last year, and so we understand that how we could be very additive to a cohort of customers, so we're rolling it out on a case-by-case basis because we want to create a win-win scenario for us, right? For customers who we feel like they would really benefit and increase their spend with us by giving them this flexibility, we're more than happy to work with them, whether it's through a partner or directly with us. For broadly speaking, we don't want to be in a situation where unintentionally it results in a downsell for us, and then also they don't have the ability to try out other products because they're maximizing their budget and thinking through it from that perspective. So right now it's in beta, but in the longer term, we do plan on going to GA with that and potentially with a slightly tweaked structure.

Thank you.

Thank you. And our next question will come from you and Kim with Loop Capital. Your line's open.

All right. Thank you. Sumed, I think you already touched upon some of my questions already, but, you know, how engaged are partners involved in core VM renewals? Or are they, or a lot of them that you were partners that you attracted last year, are they more about selling new products?

Yeah, the MROC partners that we work with are pretty excited. We're starting to see these partners launch their own services for risk operation center, which obviously takes some time because they have to come up with the with the brochures for the services, staff them with the right experts for risk quantification, et cetera. But what they are excited about is that instead of just looking at, you know, can I get another five cents, 10 cents of margin on a dollar, the ability to say that with ROC, they can actually offer Shire value services. The service you can offer to a CISO is, hey, here's, we're going to give you a business-oriented service cyber risk visibility deck that you can take to your board every quarter that's going to make you look very smart in front of the board is a significant value and they can charge multiple dollars as an example for those services around ETM, which they cannot necessarily do around other areas. with the agentic AI capabilities built in, the partners are excited that that actually can also reduce the spend that they have to do to staff their services teams with people if agentic AI capabilities in the platform can get them a patch Tuesday report within 24 hours versus taking two weeks for a consultant to manually go and create Excel sheets to do things like that. So very exciting early conversations. We're already starting to see some interesting wins, though it's early days, with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just, okay, here's another list of vulnerabilities that I can provide you. Those conversations are very positive. And so, as I said, I We're really focused right now on our GTM efforts around training these partners, around partnering with them, and introducing them to customers as they introduce us to prospects, et cetera. And as that progresses, I'm excited about the potential that partners can bring customers to us, even if that customer might have another VM scanning solution, they can keep their solution and they can actually bring that customer to us, and the partner can make multiple dollars on every dollar of ETM that they sell for us.

Okay, great. That's very helpful. Jumi, if you can remind us how renewals are lined up for the year, is it skewed towards second half of the year consistent with the prior years, or with the newer products coming in, do you see some early renewals or renewals mix kind of changing up this year?

Right now, our expectation is that the seasonality remains the same. So, same thing as what you saw in 2025. It will be skewed towards the second half of 2026.

Okay, great. Thank you so much. That's it.

Thank you. And the next question will come from Junaid Sudwigwe with Truist. Your line is open.

Great. Thank you for taking my question. Sumedh, you've talked about the, you know, risk operation centers focus on proactive risk management versus the SOCs focus on detection after the breach being a major differentiator. Just wanted to ask, you know, are you starting to see budgets flow more towards proactive security versus reactive detection and response?

Yeah, thanks, Junaid, for that question. We definitely see the conversations with our partners who have said, like, look, I've invested a lot over the last few years in EDR, XDR, you know, post-breach solutions around SOC. And, of course, you know, there is some focus now on agentic AI SOC solutions that they're looking at to improve that even further. But what they feel is that on the pre-breach side, they have invested, but they have invested in a bunch of, I call them, XPM tools, which is I have DSPM, I have SSPM, I have CSPM, but all of them are just giving you multiple dashboards. And there is definitely a bit of a fatigue with these customers and saying these dashboards are not helping me prevent a breach. While I have put in place a protection on the post-breach side to try to find attackers, if I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools, you know, you have these code scanners which are kind of like false positive service sometimes because they give you so many findings. The conversations definitely are moving in that there is positive conversation on leveraging budget that they have or asking for more budget over the next couple of years to move in that direction. And the early adoption of ETM that we are seeing is necessary. Essentially, we're going and getting budget that they are not always moving away from something they're already budgeted for. So some customers have started to put budget aside for exposure management, so to say, or RBVM, but when we show them ROC, which is much bigger than exposure management and much more than RBVM, they are actually able to work with us to shift on that budget. So I definitely feel like there is a more of a focus last year and into this year on, hey, we need to do a better job at proactive risk management. We've done a lot of work around the reactive side. Let's focus to get better on the proactive side.

Great. Thank you.

Thank you. And the next question will come from Jason Jang with Wolf Research.

Hey, guys. It's Joshua Tilton from Wolf Research. Can you guys hear me? Yes, Josh. Awesome. So, Meg, I want to follow up on your answer when you were asked about kind of anthropic blog posts today on cybersecurity. And I just – I want to re-ask the question, but I want to ask it in a much more simpler way. Is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing and kind of some of the vulnerability discovery that happens before you would use a traditional VM tool? And again, I just play a security expert on TV, so if I'm thinking about it the wrong way, please let me know. But is that kind of the right way to think about it?

Right now, a lot of that focus is on looking at open source code and going to the code base to look at commit logs, et cetera, around that code to find the vulnerabilities in that particular code base. Now, that code base is then compiled into some piece of application software, which then is running all over the place across millions of machines in different customer environments behind different firewalls, et cetera. Generally, that's sort of where we see Wallace focus is more around once those vulnerabilities are discovered or attackers starting to use those, how do we then quickly assess those in the runtime rather than application code discovery time, which is where a lot of these AI agents are focusing on.

Makes total sense. And then maybe just a quick follow-up for Jumi. I think in the past, You know, there's been several leadership changes throughout the years where, you know, there was always a plan to kind of invest to reignite growth. And I'm just curious, when we think about the EPS guidance for the full year, how do you think about the level of investment for 26 that's baked into that EPS guidance versus prior years when maybe you've had one of these kind of, you know, new CRO in place or other leadership roles being filled?

So we're really pleased to start off the year strong with all key positions filled with a strong executive team who's tenured. So keeping that in mind, last year we had guided to low 40s EBITDA margin coming off of 2024's 47%. So the implied gap or implied margin contraction was significantly higher than what you're seeing today. We clocked out the year 2025 with 47% EBITDA margin. We're guiding to mid-40s for EBITDA. So slight contraction, but it's not as significant as what we had guided to at the beginning of 2025.

It's a lot of fun. Thank you so much, guys.

Thank you. Thank you. This does conclude today's question and answer session. And this also concludes today's conference call. Thank you so much for participating, and you may now disconnect.