Qualys, Inc. Q4 FY2020 Earnings Call

Good afternoon, and welcome to Qualys' fourth quarter 2020 earnings call. Joining me today to discuss our results are Sumedh Thakar, our interim CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are available on the Investor Relations section of our website. With that, I'd like to turn the call over to Sumedh.

Thank you, Vin. Thank you, and welcome everyone to our Q4 earnings call. Before we discuss our financial results, I wanted to say a few words about the separate announcement we issued this afternoon. As you have likely seen by now, we disclosed that Philippe Courtot is taking a leave of absence due to health issues unrelated to COVID-19. Please join me in wishing Philippe a speedy recovery. In connection to this development, our Board of Directors has appointed me as the interim Chief Executive Officer. As those of you who have been following Qualys know, I've been with Qualys for nearly 20 years. I was appointed Chief Product Officer in June 2014 to lead the transformation of our platform, and I was appointed President in October 2019. I have been working closely with Philippe for many years, and we share the same vision of transforming the way our customers secure and protect their organization's IT infrastructure and applications with best-in-class cloud-based IT security and compliance solutions. I have deep appreciation for the tremendous platform we have built, and I am honored to serve as Qualys' interim CEO. I look forward to working closely with the Board and the rest of the Qualys team to continue building on our strong business momentum and driving the company forward while Philippe is out. Now, for my first task in this role, I'll walk you through our earnings results for the fourth quarter and full-year 2020. We are pleased to report another quarter of solid revenue growth and profitability. We also saw strong growth of our paid cloud agent subscriptions, which grew more than 80% year-over-year to 56 million. Very uniquely, our multi-function, lightweight Cloud Agent provides visibility across the entire hybrid environment, and is the underlying technology for a number of our IT, security, and compliance solutions that are natively integrated on our platform. As a result, Qualys customers can deploy VMDR, (Vulnerability Management, Detection and Response), Multi-Vector EDR, (Endpoint Detection and Response), Policy Compliance, File Integrity Monitoring, Patch Management, Global IT Asset Inventory, and the upcoming XDR offering through a single agent, which differentiates us in our industry. In addition, we continue to expand our platform's capabilities to take response actions, enabling our customers to respond quickly to security issues in their environment. While the importance of vulnerability management for our customers remains high to help mitigate their risk, they are also looking for ways to quickly respond to these risks and threats. As these organizations continue to increase their focus on discovering all their hybrid IT assets, mitigating their risk and detecting and responding to ongoing attacks, Qualys' platform, through a single pane of glass, uniquely provides our customers the ability to do a complete asset inventory and CMDB synchronization, mitigate their risk of breaches with capabilities like VMDR and Patch Management, as well as detect and respond to attacks using our EDR and upcoming XDR solution. With the release of our container runtime protection solution and the new SaaSDR as well as our upcoming Cloud Response solution, we are now expanding similar capabilities in other infrastructure environments, giving customers additional opportunities to consolidate their security tools onto the Qualys Cloud Platform. In terms of our newer paid solutions, we continue to see strong growth from our Patch Management solution. In Q4, a leading pharmaceutical firm selected our patch management application over several competing solutions, given its ability to easily and effectively patch remote endpoints without using the limited bandwidth available on their VPN gateways. They chose Qualys because of our ability to discover asset inventory, vulnerability management, and patch management through a single agent. This quarter we also saw strong traction for our paid Global IT Asset Discovery and Inventory application with a large media conglomerate adopting the application to gain visibility of all their known and unknown assets across multiple environments, identify the end of life of their installed software, and synchronize with their ServiceNow CMDB. Finally, we again saw robust growth for our Container Security application with adoption from a large global IT services company that has already deployed our vulnerability management, Patch Management, Global Asset Inventory, File Integrity Monitoring, and EDR solutions further consolidating their security stack with Qualys. In terms of Product Innovation, we have continued to make strong progress on our product roadmap. Some key recent accomplishments include: Delivering a free 60-day integrated Vulnerability Management Detection and Response service to our customers quickly assess devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, and stolen FireEye Red Team tools, and use the patch management capability to immediately fix their exposure with a single click using the same agent. We also enhanced Qualys Container Security Response Solution with the addition of deep visibility, runtime defense capabilities, and automated enforcement with delivery of Qualys Runtime Security. We recently introduced a brand-new extension to our platform called SaaS Detection and Response, (SaaSDR), which provides a single console for IT and security teams to gain continuous visibility, security, and compliance of critical SaaS applications like O365, G-Suite, Salesforce, as well as Zoom. This solution enables our customers to monitor the posture of their users and applications that have access to critical data in their SaaS environment, helping bridge the gap between on-prem as well as SaaS assets, again through a single platform. We are also excited that we are expanding Qualys VMDR (Vulnerability Management Detection and Response) to enterprise mobile devices with the addition of Cloud Agent support for Android and iOS devices. As part of their digital transformation, organizations continue to leverage more and more handheld mobile devices to conduct business with access to critical data from these devices. This expansion allows our customers to track vulnerabilities and misconfigurations on these devices and take appropriate response actions. This builds on top of our other product accomplishments from earlier in 2020. Key amongst them are the shipping of Qualys Multi-Vector EDR, which leverages the Qualys Cloud Platform and Qualys Cloud Agent to detect ongoing threats on endpoints, conduct threat hunting, and take appropriate response actions. It further correlates threats with vulnerabilities providing unique capabilities for proactive mitigation from additional breaches. We also released a comprehensive inventory sync with ServiceNow Service Graph and Configuration Management Database, (CMDB), as part of the new Service Graph Connector Program, a new designation within their Technology Partner Program. With the strategic launch of VMDR early last year, while is a unique all-in-one cloud-based application that automates the entire vulnerability management lifecycle across on-premise, endpoints, and cloud environments, bringing vulnerability management, threat prioritization, and patching into a single end-to-end workflow with a single agent. Looking ahead, we are enthused about the additional solutions that we plan to introduce in 2021. The XDR platform expansion, which seamlessly integrates, and correlates data natively collected from all Qualys sensors with additional context from other third-party data sources. This powerful capability will let customers detect threats beyond endpoints. Qualys XDR will also orchestrate the various response actions and help our customers reduce cost and complexity of deploying and managing SIEM and SOAR solutions. This capability is currently in private beta with select design partner customers, who have been working with us. We also plan to expand support for Patch Management for Linux environments, so customers with Cloud Agents on these environments can also add Qualys Patch Management to these additional devices. We will continue adding additional capabilities to our Multi-Vector EDR such as Endpoint Protection Capability, (EPP), as well as expanding EDR support into Linux environments. We are working on a major update to our passive scanning technology that will significantly expand our coverage of Industrial Control Systems, Operational Technology environments, as well as detection of IoT devices. We showcased these solutions at our very well-attended QSC user conference, which was a 12-day virtual event held in November 2020. Over 5,000 people across our customer base, partners, prospects, analysts, investors, and the media attended the event, and we received very positive feedback. The development of these native solutions at such a rapid pace is possible because of the massive investment we made in our cloud platform and our strong engineering talent base with over 900 employees now in Pune, India. These new initiatives open significant incremental market opportunities for us. They also allow our customers to easily and cost-effectively consolidate their stack of traditional enterprise security and compliance solutions while providing them with a single-pane-of-glass view of all assets across on-prem, endpoints, cloud, SaaS, and mobile environments. In terms of Go-to-Market, we are expanding relationships with existing partners. Our comprehensive platform with detection and response is becoming increasingly strategic for MSSP partners as they can provide multiple services and easy upsell to their customers, instead of focusing a large amount of resources on building such a scalable platform themselves and having to integrate multiple other point solutions. Given the increased breadth of our product suite and the launch of VMDR and Multi-Vector EDR, we have now embarked on a few additional go-to-market initiatives that leverage the efficiency and effectiveness of our cloud platform. This is a key element of our profitable growth, driving value for our customers and shareholders. Our go-to-market activities in 2020 included: Leveraging our cloud platform for lead generation with free services. As an example, we launched our free Remote Endpoint Protection solution to help enterprises secure remote workforces by providing instant security assessment, visibility, and remote patching when it was difficult for them to do this using their enterprise solutions over VPN. We expanded our reach into China by establishing a Private Cloud Platform and a partnership with Digital China, the largest value-added provider of integrated IT products, solutions, and support for enterprises in China. We launched the Qualys UAE Cloud Platform in Dubai, which further expanded Qualys' global operations across these continents in that region. We extended our partnerships with Deloitte Advisory, where Deloitte Advisory partnered with Qualys to integrate VMDR and Multi-Vector EDR into Deloitte Hong Kong Cyber's managed vulnerability services. Armor, a global MSSP, embedded Qualys VMDR into Armor Anywhere, an industry-leading cloud security platform. Our partnership with Armor also includes Qualys CloudView solution for compliance and security posture management of public cloud environments. We announced Cloud Agent's general availability on Google Cloud, providing customers with a one-click workload security visibility in Google Cloud. Additionally, we natively integrated our Container Security Solution with Google Cloud Artifact Registry. We expanded Vulnerability Management integration with Microsoft to also include Microsoft Azure Arc to allow customers to perform vulnerability scanning on servers outside of the Azure platform. We partnered with Infosys, a global leader in next-generation digital services and consulting, to integrate Qualys VMDR and Multi-Vector EDR into its Cyber Next Platform, a managed security service offering. While looking forward to 2021, we plan to meaningfully expand our sales and marketing efforts, given our increased number of solutions, including our game-changing VMDR and Multi-Vector EDR, as well as our upcoming XDR offerings. Similar to our efforts on the cloud platform, we are building a marketing platform. We have recently hired a CMO, and are expanding our marketing awareness initiatives for the C-levels as well as our lead generation capabilities, leveraging our platform and increasing virtual events. On the sales front, we are expanding our quota carrying sales headcount, or technical account managers as we call them, and have recruited an EVP of Field Operations for the Americas, a VP of New Business for the U.S., VP of Strategic Alliances for System Integrators, and a VP and GM for our SME/SMB business. In addition, we are also planning to hire a CRO, Chief Revenue Officer this year. We will also continue to invest in R&D and operations as well as other support functions as we continue to scale the organization in anticipation of future growth. We believe these investments will set us up well for long-term and profitable growth. We believe the world after COVID-19 is going to be different. Companies are going to be more focused on reducing costs while increasing business flexibility, which is going to significantly accelerate the transition to cloud-based solutions. Increasing adoption of our cloud agents and our passive scanning technology, combined with the breadth of our solutions that span across the entire hybrid environment enables us to offer customers greater visibility, accuracy, and scalability. This positions Qualys well to enable customers to consolidate their security, IT, and compliance stacks with us, providing risk mitigation and threat detection and response on the same platform while also drastically reducing their overall spend. In conclusion, Qualys continues to clearly move well beyond vulnerability management and increase its competitive advantage. We are optimistic that the adoption of our newer solutions, including Patch Management, Multi-Vector EDR, Container Security, and upcoming XDR, which solve meaningful problems for our customers, will provide us the opportunity to increase bookings growth over the long-term. In summary, we believe that we are now well-positioned to expand our revenues with existing customers as well as continuing to expand our customer base for the years to come. With that, I'll turn the call over to Joo Mi to discuss our fourth quarter financial results and the full-year fiscal 2021 guidance.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're delighted with our increasing cloud agent subscriptions, which lay the foundation for future revenue growth and industry-leading profitability. Our Q4 financial and operational highlights include: Revenues for the fourth quarter of 2020 grew 12% to $94.8 million. Looking forward, we expect Q1 2021 calculated current billings growth to be negatively impacted by the timing and amount of prepaid multi-year subscriptions as well as shorter duration invoicing. Our average deal size decreased 3%. Excluding strategic alliance deals, (normalizing for the impact of channel customers coming off an OEM relationship), deal size increased 6%. Paid cloud agent subscriptions increased to 56 million over the last twelve months, up from 50 million for the 12 months ended in Q3 2020. And 29% of VM customers up for renewal in the quarter renewed into a VMDR subscription. Excluding strategic alliance deals, VMDR adoption was 35%, similar to Q3. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the fourth quarter of 2020 was $43.4 million, representing a 46% margin versus 44%. Q4 EPS grew 13%. And our free cash flow for the fourth quarter of 2020 increased 27% to $31.9 million, representing a 34% margin. In Q4, we continued to invest the cash we generated from operations back into Qualys including $6.9 million on capital expenditures for operations, including principal payments under capital lease obligations, and $34.8 million to repurchase 352,000 of our outstanding shares. Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders. In 2020, we released several new products, features, and enhancements. Cloud Agent adoption grew over 80%, from 31 million Cloud Agents subscriptions to 56 million. We grew EBITDA by 23% and achieved record EBITDA margins of 47%. We utilized $126.7 million of our cash to repurchase approximately 1.3 million of our outstanding shares. And finally, we grew EPS by 25%. We remain confident in our business model, driven by our foundation of nearly 100% recurring revenues and an expanding suite of applications. Looking to 2021, we are excited about the revenue growth opportunities from our new solutions, including VMDR, Patch Management, and Multi-Vector EDR. We expect full-year revenue in 2021 to be in the range of $399.0 million to $402.0 million, which represents a growth rate of 10% to 11%. In terms of 2021 profitability, we expect to maintain industry-leading margins leveraging our highly profitable operational model, while preserving the ability to further invest to drive future revenue growth. We expect full-year non-GAAP EPS in 2021 to be in the range of $2.60 to $2.65. For Q1, we expect revenue to be in the range of $94.8 million to $95.4 million, which represents a growth rate of 10% to 11%. We expect non-GAAP EPS in Q1 to be in the range of $0.68 to $0.70. We expect the first quarter of 2021 capital expenditures from operations to be in the range of $6 million to $7 million and full-year 2021 to be in a range of $30 million to $35 million. As Sumedh mentioned, we are very excited about the robust adoption of VMDR and the launch of our Multi-Vector EDR solution, and we remain optimistic about the company's future. We feel very confident during this period of uncertainty due to the value provided by our Cloud Platform as well as our underlying highly scalable and profitable operational model.

Things are going well with Philippe, and I send my regards. Now, back to the business, can we discuss the current environment regarding increased cybersecurity spending and larger deals in both the enterprise and federal sectors? Please share your insights on how you see your company positioned in this landscape and whether it boosts your confidence for the year ahead. Thank you.

Yes, I think what we're seeing right now is that a lot of our customers, especially if you see some of the recent attacks, they are really looking at solutions that are going to help them detect their issues quicker and take response actions so that they can mitigate this because otherwise the plethora of point solutions that are out there, it takes a long time for them to be able to find the breaches that are going on or the misconfigurations that lead to these breaches. And today, we feel that with the platform which focuses on both aspects of security, which is the risk mitigation as well as the threat detection and response capability, we feel like our platform is well positioned for that. And in our conversations with our customers, as I mentioned, a couple of examples where customers are adding capabilities of patch management to those agents that already have VMDR, as an example, or looking to add EDRs so that they can consolidate that agent and get to the point of getting the information across these different solutions quickly, they see the value in what we are doing. And obviously, as they look to ingest the Qualys platform and integrate that into their current environment, this is something that we work with them.

Great, thank you.

Thank you. Again, sorry to hear about Philippe, and hope for a quick recovery. Joo Mi, quick question on the guide. It looks like based on your Q1 guidance and guidance for the year, you are expecting somewhat consistent year-over-year growth through the year, with 10% to 11%. But shouldn't we expect to see VMDR adoption kind of being a tailwind for the revenue growth, the lead starting in the second half of the year, just trying to better understand if there are other dynamics to the lead growth that we're not thinking about.

Yes, so it's true that with the newer solutions, we're very optimistic about VMDR Patch Management, and even Multi-Vector EDR, which is newer. However, the adoption of newer products and when it's going to translate into revenue is a bit uncertain. And historically, what we've guided to when setting the annual revenue guidance, really we look at our current bookings and pipeline to inform our guidance. And because of that, this is the visibility that we have right now, and in Q1, the guidance that we have is basically what we expect to achieve based on the opportunity that we see ahead. And then for the latter half of the second half of the year, it's a little bit too early to tell, but we thought that it was prudent to guide to the 10% to 11% growth for the full year.

And if I can add to that, VMDR is definitely something that we see customers really asking for it. And we see that it takes them some time based on their environment to deploy VMDR, but once they have that, which drives the adoption of the agent, we are seeing, as I gave that example, and also earlier in the year we saw some customers that were able to move very quickly to add additional services within a couple of weeks. In other cases, customers do take time to integrate that into their security portfolio before they can then move on to additional capabilities so that VMDR forms the base.

Okay, great. And Sumedh, first, congratulations on becoming CEO. It’s clear that VMDR adoption is progressing well. You have the big XDR launch approaching. From a product standpoint, you have definitely become a full platform provider now. The next step is to go to market, along with ramping up the sales force. In your prepared remarks, there was a lot about your hiring plan, but could you provide insight into how aggressively you plan to increase sales capacity this year? Also, do you have any updates regarding your go-to-market strategies in the hyperscale and cloud environment, especially concerning new customer acquisitions? Thanks.

Yes, to start with the sales strategy, we have already begun hiring, including an EVP for Field Operations in the U.S. and a VP for new business in the U.S., as well as a VP and GM for our SME and SMB business. We also plan to hire a Chief Revenue Officer this year. Our approach goes beyond just increasing the number of sales staff; we are enhancing our marketing efforts by bringing on a Chief Marketing Officer and hiring several heads of product, including a VP of Product for cloud and VMDR, among others. These initiatives aim to improve our platform's packaging and support our sales team in better enabling sales. We are optimistic that this combination will drive revenue growth and define our strategy moving forward. Regarding the goals with GCP and Azure, much of it revolves around built-in capabilities. Our platform enables customers transitioning to the cloud to utilize not just vulnerability management but also patching. For environments that host critical data, such as those requiring FedRAMP compliance, services like file integrity monitoring and EDR are essential. Once customers implement our agent, we can effectively provide these services. We are focused on backend integration with Google and Azure for our agent, aiming to connect smoothly with their platforms. This integration benefits both new customers looking to build solutions quickly and existing customers who adopt a hybrid approach, using the Qualys platform alongside built-in integrations in Azure to deliver quick visibility on necessary fixes. The security teams gain insight into the overall security landscape through the Qualys console. As more organizations re-architect their solutions to be cloud-native, we are well-positioned to offer robust integration and the ability to quickly expand capabilities since our agent can be easily deployed on virtual devices in these environments.

Great, thank you so much for that detailed answer, and congrats on the appointment again, Sumedh.

Great, thanks for taking my question, and our thoughts go to Philippe as well. You guys when SUNBURST and SolarWinds hit, you guys had a lot of really helpful press releases out sort of talking about the benefits of the Qualys platform. And obviously, it didn't impact your Q4 revenue, but I'm curious if you could talk about, has it aided pipeline generation, and I would assume you're probably not including it in your guidance, but if you just talk about, if that's helping kind of the go-to-market pipeline initiative?

We have a two-pronged approach. First, we launched services similar to our free and point security solution to assist our existing customers in managing their environment. This includes using modules that they haven't purchased yet from Qualys to help mitigate risks. For instance, when we offered a 60-day free service regarding SolarGate, we provided not only the detection of vulnerabilities linked to the FireEye stolen tools but also the chance for these customers to use Qualys Patch Management for free to patch those vulnerabilities immediately. This is a significant improvement because, rather than just scanning and showing results, we activated Patch Management for customers who already have the Qualys agent, allowing them to patch vulnerabilities within a few hours and demonstrating the platform's ease of use. While this does generate additional leads, our main objective is to establish credibility with our customers, showing them how easily they can utilize the extra features in Qualys once they have VMDR. Even though this doesn't guarantee immediate purchases, it lays the groundwork for customers to realize they already have a solution in place that allows them to act quickly when they need to renew or replace existing solutions.

That's helpful. And then I just wanted to ask, or kind of dig into kind of core VM growth. Obviously, you're seeing a lot of growth. You talked about Cloud Agent subscription growth of 80%, and there's a lot of new products that are launching, but I guess my question is with a 10% to 12% or 10% to 11% guide this year, I mean, I kind of think of that as kind of like the VM growth rate. Is there something that's suppressing VM a bit, I mean, is it a COVID headwind, just trying to get a better sense of how you're thinking about sort of like core growth. Obviously, you've got growth outside of that, this aiding, but just kind of core VM would be helpful?

The core VM was significantly transformed last year with the introduction of VMDI. Previously, VM primarily focused on providing a list of CVs, but now it encompasses a comprehensive solution through Qualys VMDR that includes prioritization and issue resolution. This shift has generated excitement among customers eager to adopt a Vulnerability Management Solution that consolidates these capabilities into a single agent. However, as customers consider this transition, they often face challenges if they already have a separate Patch Management solution and team. They need to navigate their internal processes to determine the best approach, which may involve starting with smaller Patch Management initiatives. In some cases, Patch Management has even driven sales of VMDR. Adoption timelines vary; for instance, one customer migrated to Qualys patching for 250,000 assets within two weeks due to already utilizing VMDR. The pace of integration into their systems can differ widely among customers based on their unique circumstances. Additionally, the pandemic accelerated the need for remote endpoint patching for some, while for others, the implementation process has taken longer.

Thank you very much.

Yes, so thank you very much. Can you talk about the potential for the company to reaccelerate growth to the mid-teens? I know you're waiting for the new products to ramp. But when they all ramping, whether it's maybe later this year or early next year, do you think the potential is there to grow in the mid-teens?

We have been concentrating on our core VM and VMDR, and we have also introduced new services such as SaaS and expanded into additional environments. Our goal is to elevate the platform so that when customers are ready to consolidate in the coming months or early next year, we have all the necessary capabilities prepared for them to transition to the Qualys platform. We are optimistic that with these changes and our new global market initiatives, we can achieve an acceleration of growth in the next few years.

Okay. And also your percentage of VM customers that are up for renewal, who renewed with VMDR. I think it didn't really grow that much. It was like 35% adjusted the same as last quarter. Why do you think it didn't grow? And where do you see that percentage going to be say the end of the year?

So I think we think that 35% is a good percentage of an adoption for our customers, especially when you have customers that are larger. So it really depends in that particular quarter, what is the mix of customers that is up for renewal. So if those customers who have for whatever reason are going to take time to, because as you see with VMDR, it's not just the vulnerability management feet that comes with additional capabilities like asset inventory and patch deduction and a prioritization. So the customers need to also be able to ingest, and that capability into their current security program. And so, that may need some resource on their side to lineup maybe developers to get API calls, et cetera. So it just depends on that quarter what mix of customers comes up and what they are ready to do as you know we don't really push, push, push from them to do it because it's a subscription-based business, but what we do expect obviously is that we already had these people converted. So as the next quarters come around, the convergence will build on top of the existing conversions that we've already done, right. So obviously we see that through the next few quarters, we will see more and more of our customer base getting converted to VMDR.

Thank you.

Question and again I send our best wishes for a speedy recovery for Philippe. The hiring, it sounds like you're going to step up hiring in sales, but my impression was just you've been hiring as quickly as you could in sales in the past. What are you going to do to accelerate your hiring efforts there?

Yes, so I think, we've - as you saw already in the last couple of quarters with the list of the key hires that we have done, we have already started on that journey to accelerate the hiring in the sales and marketing, right. So we have some key folks hired not just on the sales side, but also, as I mentioned, on the VPs product side, who are going to help the sales enablement as well as bringing in the CMO and bringing in additional headcount on the quota carrying salespeople, but part of that, as I mentioned, like we are also going to be hiring a Revenue Officer who will come in and have a focused approach towards accelerating our revenue. And what are the various things that we can do, in addition to these hires that we have done to do a better approach to our customers, positioning our platform, positioning our portfolio, and having them look at Qualys as an option to their existing security solutions. So that's really the direction that we're going and we've already started on that journey today.

Then how are you looking at operating margin in terms of longer-term targets? Are you going to be right now you're in the Upper 30s, where do you think that your longer-term target will fall with if you're going to be stepping up some of your investments?

Yes, so I mean this year, we set a record EBITDA margin of 47%. We think about it is, we really have an industry leading margin, and we're focused right now, it's better balancing growth with profitability, we don't see a scenario where we wouldn't have industry leading margins regardless. So we said before was, even with an increase in investment, as Sumedh has talked about in sales and marketing, R&D, as well as customer support and operations and G&A, we think that our EBITDA margin at the end of the day will be above 40% range. And that was an acceleration in revenue, which will come in turn, following the investment, I think that we will still be have a really great profile and a very optimistic because especially with the traction that we've been able to meet with hiring the sales leadership, as well as marketing leadership, we do think that acceleration will be happening on the hiring front, as long as we have the leaders in place.

Okay, and you said it will be around 40% or above 40%. Did you say?

Yes, it'll be above 40%.

This is Matt, on for Sterling, thanks for taking the question. You mentioned a few metrics, excluding a channel partner that turned off your OEM solution, just wondering if you could elaborate a bit more on that, and if there was any impact to the quarter in terms of revenue, and how is that affecting your guidance for the next quarter?

Yes, it's not a trend, it's actually just normalizing for channel customers, we're coming to right off of an OEM relationship. So for example, under a strategic alliance deal, we had one partner, where it wasn't OEM relationships. That partner had multiple different customers, the endpoints, and they decided to come direct. And so obviously, that did end up the number of renewal deals up for renewal in Q4. And so normalizing for that noise, it ended up being about 35% IBM customers were up for renewal into quota renewed into the VMDR. And if you take a look at the dollar impact as well, it's trending nicely. So it wasn't a negative impact at all.

Great, that's fair, helpful for clearing that up. Just a follow-up question, there's a big jump in long-term deferred this quarter, we're just trying to see if you could provide any additional color on that impact and should we kind of expect a higher level of long-term deferred as an overall part of the mix? Thanks.

Yes, that's really driven by customer. So what we've seen is with VMDR, we've seen that average contract length has been trending up. And that's actually demonstrated by the RPO is disclosed in our 10-Q and then 10-K. It's been going on. And I think that's a testament to how our customers really see the value in our product, and they're not afraid to sign up for more than a year. And so that really drove an increase in long-term deferred, but it's not something that we push on customers. Like Sumedh said, it's really up to the customer. And so as they're willing to sign up for more than a year, it's great to they lock it in, lock the pricing, it's better for them, and that's reflected in our financials.

Yes, thank you. So I just want to double-click on the 1Q '21 guidance in the context of your short-term billings growth of 12% and 10% for the full-year or maybe it was the other way around. Anyhow, it seems like good billings, good billings on the short-term billings basis, and excluding the strategic relationship that you talked about, which is not affecting anything at all. In reality, it just seems like I want to understand, why are you guiding to a deceleration in revenue growth, given the robust short-term billings that you saw in the most recent quarter?

Yes, the current billings tend to fluctuate. If you take a look at the customer subscription base first, our revenues amortize over 12 months, so our current billing impact earlier in 2020 is actually taking place and having an impact in Q1 as you may recall, for example, our current billings increased by 7% in Q2, kicked up to 8% in Q3 and then Q4 was strong to 12%, but there are puts and takes, they're a natural fluctuation. And if you just take a look at the revenue amortization schedule, it ends up being that based on total revenue, which is approximately 85% is already booked based on the prior ASV. Right? And so, this is the visibility that we have right now, ending the quarter or estimating the quarter will end at about 10%. And then the other factor that I want to highlight is typically Q1 is lighter, just because of the number of days that gets impacted. So this quarter, especially in terms of the year-over-year, we're losing, we're losing a day and in the quarter-over-quarter, we're losing two days, and so that actually impacts the revenue guidance as well.

I see that's helpful. And then Slide 15 is a recurring slide that you guys have, but the data from there does look good. It does attest to increasing spend due to platform approach. Is it possible that you're seeing elevated customer churn in the SME segment that that particular slide does not necessarily capture?

In terms of retention, honestly, we've seen very strong retention, strong growth, I think that's what's really been impacted from COVID is new and potentially upsell, but in terms of our retention rate, nothing significant has changed, and we haven't seen a downward trend in both enterprise or SMEs.

Thank you for taking my question. And I'd also like to extend my best wishes to Philippe on a speedy recovery. Sumedh, my first question for you, kind of a follow-up to the solar wind question, I want to drill into IT asset discovery specifically, right, because that's one area, I think we've heard a lot about coming out of the supply chain attack, really trying to figure out kind of what assets are exposed? Can you talk a little bit about the prioritization of that service? Specifically, I know you're not going to see anything in your pipeline. Right away that attack was, this happened in December. But I'm wondering, in terms of your customer conversations and when you speak to customers, both solar winds, is that something that comes up a lot?

Yes, we are hearing quite a bit from our customers about this issue. If you examine the mechanics of the attack, it involved the supply chain where trojanized software was introduced, along with lateral movement within the environment. This included interactions between Office 365 accounts and the in-house agent. A primary concern for many has been identifying what exists within their environment and locating any trojanized software before assessing whether they have related issues. This highlights the importance of asset inventory, which allows us to provide customers with an accurate view of their entire inventory, encompassing both managed and unmanaged assets through our agents and passive scanning. This conversation is increasingly relevant, as it leads to discussions about end-of-life software and the necessary actions to address it, including understanding which assets are affected. Our first step is to identify the impact, which aligns with our threat detection and response capabilities, including EDR and XDR solutions. We also need to implement all necessary remediation actions to mitigate risks by recognizing other inadequately configured devices in the environment that could support lateral movement. Our recent SaaS release enhances the configuration visibility of platforms like Office 365, Zoom, and Salesforce. As customers transition to a hybrid environment, this provides a more comprehensive view. Ultimately, the foundation for all this is our global asset inventory, which is included in our platform, eliminating the need for customers to seek additional solutions for inventory management. This is something our customers have expressed appreciation for.

Got it. Thank you. And then just maybe a follow up on go to market, you announced a number of leadership appointments, right. You're looking for a CRO currently. I'm wondering who was the de facto head of sales before. I mean, was it Philippe? And also do you think that this is a function of maybe adding capacity? Or do you think that there has to be sort of more changes in the sales organization structure?

Philippe was effectively leading sales. However, I was very much involved working alongside Philippe in the field as well. It's a combined effort, as we've mentioned. We strongly believe in our model of hunters and farmers, and we’re not altering that to push more products to customers. Bringing in a Chief Revenue Officer will help us identify new ways to engage with customers and target them for upsells. While there will be changes with the new CRO and leadership, particularly in how we connect with C-level executives to promote the full capabilities of our platform rather than just our vulnerability management approach, we are committed to our existing strategies and the strength of our model.

Good afternoon and thank you for taking the question. And I would like to extend my thoughts for a speedy recovery for Philippe as well, hope all is well with him. Maybe, Joo Mi, I know that in the past, you've talked about some hesitation about investing in sales and marketing and bringing on new reps in a period of economic volatility. Maybe could you talk a little bit about what you're seeing and maybe Sumedh chime in as well in terms of what you're seeing? I guess that's different now that gives you a little bit more confidence that you can onboard reps and headcount, the sales and marketing organization where they could ramp efficiently and they might be productive and they'll hit expectations.

I think Joo Mi will address that aspect, but what I see currently is that a significant portion of our newer services is coming to fruition, and our customers are adopting them with increasing interest and speed, especially where they have VMDR in place. This naturally influences our perspective on areas like File Integrity Monitoring, Container Security, and Patch Management, which are beginning to show promising results with our customers and opportunities for upselling. Additionally, this is a factor we consider when evaluating our need for additional leadership and headcount, as well as assessing our customers' readiness.

Yes, we view this as something new for us, although we have experience in similar situations in the past. If you examine our company history, particularly in our investor presentation, you can see that in 2017, our current billings were nearly 21%, and at that time, our EBITDA margin was 37%. Presently, our EBITDA margin has increased to 47%. This indicates that we have room to improve our balance of growth and profitability, and we should consider investing more. The expansion in our margin can be attributed to our reduced spending on sales and marketing compared to 2017, where sales and marketing accounted for 26% of revenue, whereas now it has decreased to 17%. Given our scalable business model and infrastructure, we believe we don't need to raise this percentage significantly. Therefore, we anticipate our EBITDA margin will remain above 40%, understanding that before we increase investment in sales and marketing, it should lead to growth in billings and eventually revenue. Yes, it'll be above 40%.

Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to Sumedh Thakar for any closing remarks.

Well, thank you everyone for attending our earnings call and for all the questions, and we hope that you are safe. We really feel very fortunate to be well-positioned with our cloud platform in an environment where there still are a lot of point solutions that are focusing only on one aspect of security, whether it's just EDR or just Vulnerability Management. Today we really work hard to build a platform that is providing multiple different capabilities now including SaaS DR and that with the VMDR, with Multi-Vector EDR, SaaS DR for coming XDR solution. We continue to invest in expanding the capabilities of our platform and aggressively developing new solutions. Additionally, we are also focused on growing our revenues and maintaining our industry leading profitability while creating long-term value for our shareholders. I hope all of you remain safe and healthy. Thank you very much.

Thank you. Ladies and gentlemen, this does conclude today's conference. Thank you all for participating. You may now disconnect. Have a great day.