Qualys, Inc. Q4 FY2023 Earnings Call

Good day, and thank you for standing by. Welcome to Qualys Fourth Quarter 2023 Investor Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. Please be advised that today's conference is being recorded. I would now like to hand the conference over to your speaker today, Blair King, Investor Relations. Please go ahead.

Thanks, Gigi. Good afternoon and welcome to Qualys' fourth quarter 2023 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-K and 10-Q. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are available on the Investor Relations section of our website. With that, I'd like to turn the call over to Sumedh.

Thank you, Blair, and welcome everyone to our fourth quarter earnings call. 2023 was another strong year for Qualys in terms of product innovation as we expanded our platform capabilities, strategic relevance in the industry, and market opportunity. We introduced Software Composition Analysis in on-prem and cloud environments to identify open-source software across the production environment of virtual images for our customers. We advanced our Custom Assessment and Remediation capabilities into our agent-based VMDR and Policy Compliance solutions, and launched a groundbreaking First Party Software Risk Management solution. We deployed GovCloud, a FedRAMP High Impact level Ready vulnerability and patch management cloud platform that meets President Biden's Executive Orders and NIST compliance. We harnessed technology from our acquisition of Blue Hexagon and extended our cloud-scale deep learning AI to discover and identify relationships and patterns within our own highly integrated data lake that are invisible and undetectable in traditional signature-based solutions. We unified Cloud Workload Protection, Cloud Security Posture Management, Cloud Detection and Response, Infrastructure as Code, and Container Security and brought an organically integrated agent and agentless Cloud Native Application Protection Platform to market. And at QSC in November, we announced our Enterprise TruRisk platform with which we are now embarking on the most innovative advancements to the platform in Qualys’ history. A comprehensive, enterprise-wide initiative aimed at holistically measuring, communicating, and eliminating cyber risk. The role of CISOs and security leaders is increasingly shifting away from just buying and deploying security point solutions towards being able to measure and articulate the amount of risk being posed to the business. C-level executives and boards are increasingly looking to monitor cyber risk and the risk reduction ROI from the cybersecurity spend. The Qualys Enterprise TruRisk Platform is focused on helping security leaders measure, communicate and eliminate cyber risk and become a partner in de-risking their business. The platform aggregates and orchestrates data from over 25 threat intelligence feeds as well as third-party risk signals from non-Qualys products to provide organizations with comprehensive AI-powered insights that translate risk signals into measurable scores and provide optimized remediation actions based on business impact. This single source of truth within a unified workflow and powerfully integrated dashboard empowers customers to effectively measure and communicate risk, secure cyber spend, add value, prioritize and eradicate threats across on-prem, cloud, and multi-cloud environments and sets a new gold standard in the industry for risk management solutions. Continuing this pace of disruptive innovation on the platform, we’re also extending our remediation capabilities to include AI-powered patch management and several other mitigation solutions, including virtual patching, configuration updates and compensating controls guided by TruRisk quantification functionality. This new combination of capabilities, which we call TruRisk Eliminate, uniquely softens organizational boundaries and enables security teams to apply flexible, automated, and intelligent risk-based response solutions to address cyber risk based on their organization's own unique operational characteristics, remediation timelines, and business objectives. Early customer feedback is quite encouraging and with over 54 million patches deployed on Qualys agents in just the last 12 months alone, we believe this new approach to eliminating cyber risk will not only help our customers transform their security operations, but further magnify our competitive differentiation in the market. Today, we announced a major new upgrade to our TotalCloud CNAPP solution to provide comprehensive vulnerability posture and threat management from development to runtime across multi-cloud and SaaS environments. Inclusive in this upgrade is the introduction of TruRisk Insights, which integrates data from our CWP, CSPM, CDR and external asset management solutions to provide organizations through a unified and prioritized view of risk. Combined with additional newly introduced capabilities such as SaaS, SSPM SaaS Posture Management, open-source software vulnerability detection and multiple-cloud ITSM integration with ServiceNow, we have created what we believe is one of the most comprehensive cloud-native security solutions in the market, with a unified actionable dashboard for immediate prioritization and remediation, the net benefit, faster results, better security outcomes and lower overall cost for our customers. Additionally, I'm pleased to announce that we are enhancing the Qualys Cloud Agent with passive sensor capabilities to help new and existing customers obtain real-time continuous visibility of unknown, unauthorized or rogue assets communicating inside their IT and OT environments. This unique approach to internal asset management enables millions of existing cloud agents to detect many more unmanaged devices with just a single click and eliminate the complexities associated with network appliance-based passive sensing. This enables organizations to rapidly turn previously unknown assets into security-managed assets with seamless CyberSecurity Asset Management VMDR enablement for comprehensive risk assessment, prioritization and remediation across their attack surface. These innovative new approaches to cybersecurity risk management, along with several others on our roadmap for 2024, allow our customers to reduce complexity as they standardize on a trusted platform that delivers an immediate ROI and lower total cost of ownership relative to siloed and detection-only technologies out in the market. Turning to the business update for the go-to-market motion in Q4, we experienced another quarter of steady VMDR adoption, which is now deployed by 56% of our customers worldwide. Key competitive VMDR wins include a leading healthcare provider, several global financial services technology and manufacturing companies, and multiple new and other existing customers, both down market and in the Global 2000. Adding to these wins, I will take a moment to share a couple of examples of how our customers and partners are expanding their use of Qualys' capabilities to further consolidate the security stack. On the customer front, one of my favorite new logo wins in Q4 was with a Fortune 300 media organization. Their organization was frustrated by the high volume of alerts being generated by their legacy security tools and the inability to uniformly contextualize and manage risk across dispersed agencies and environments, which hampered its team's efficiency and obstructed critical incidents. Recognizing the increased value, they could gain by modernizing their security stack and consolidating on Qualys' customer replace several existing vendors and adopted four modules from Qualys including VMDR, CyberSecurity Asset Management with External Attack Surface Management, Web Application Scanning, and our newly introduced TotalCloud CNAPP solution in a highly competitive seven-figure new customer bookings win. In another highly strategic and high six-figure upsell example, an existing Fortune 200 healthcare provider expanded its existing relationship with Qualys to standardize on our Enterprise TruRisk Platform. This customer has struggled to communicate the risk posture and list of prioritized risk remediation recommendations to their management, as well as their different IT teams. The TruRisk platform helps them consolidate risk factors from different Qualys modules into a single score with business context, which led them to purchasing multiple Qualys modules as part of this platform, consolidation, and expansion. On the partner front, we continue to advance our evolving ecosystem with two leading global managed service providers, Orange Cyber Defense and Kudelski. Both expanded their offerings beyond VMDR to include our Patch Management capabilities. These partners have indicated they chose Qualys over competing solutions due to our ease of orchestration, natively integrated platform and single-agent approach to simplify their security operations and significantly reduce remediation times for their customers. In addition, we expanded our relationship with Oracle Cloud with OCI, which is now making the Qualys Enterprise TruRisk Platform available in its marketplace. We also evolved our partnership with Microsoft Azure by sunsetting our vulnerability assessment only integration to provide Azure customers with the full capabilities of VMDR in its marketplace and we'll start ingesting Defender data into VMDR TruRisk platform. Further continuing our partnership with Microsoft, we are also selected to participate in its Security Copilot leveraging an AI-powered security solution. Finally, on the partner front, we expanded our relationship with Ingram Micro which is now offering a full suite of our CyberSecurity Asset Management VMDR and prioritize remediation workflows to its customers in the APAC region. As evidenced through these wins and several others like them, Qualys is much more than just a Vulnerability Management vendor with more and more companies beginning to turn to Qualys to reduce agents' security gaps, complexity, and costs, enabling them to transform and consolidate their security stack on the Qualys TruRisk platform. Largely as a result, customers spending $500,000 or more with us in Q4 grew 14% from a year ago to 183. In summary, we believe our natively integrated platform that measures, communicates, and eliminates cyber risk brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise TruRisk platform. Looking ahead into 2024, we'll continue our disruptive innovation, advance our go-to-market investments, and execute our strategic vision with a proven approach to balance growth and profitability.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. We're pleased to report a strong finish to the year, with Q4 revenues in line with expectations and strong earnings beat, delivering 13% revenue growth and a 47% adjusted EBITDA margin in 2023. The leverage we generated this year demonstrates the efficiency in our model and enables us to step up investments in new technologies, sales motion, targeted marketing programs, and people to accelerate long-term growth and further enhance our position in the market as a trusted security partner of choice. Now, let's turn to fourth quarter results. Revenues grew 10% to $144.6 million at the midpoint of our guidance. Growth from channel partners outpaced direct at 16% versus 6% growth from direct. With continued investment in our channel, our revenue contribution mix has shifted slightly over the past year, with the channel making up 44% of revenues in Q4 versus 42% a year ago. We expect a similar trend to continue in 2024. By geo, 13% growth outside of the US, was ahead of our domestic business, which grew 9%. Looking ahead to 2024, we expect our US and international revenue mix to remain roughly at 60% and 40% respectively. As for calculated current billings, although, we don't focus on or manage this metric, anticipating questions related to bridging this LTM calculated current billings growth to revenue growth guidance, we would like to note that our Q4 calculated current billings were positively impacted by the timing of invoicing of multi-year prepaid subscriptions and large early renewals. Normalized for this, LTM calculated current billings growth would have been approximately 12%. Turning to land-and-expand results. With customers confirming their prioritization of security within IT budgets, we anticipate that the selling environment in 2024 to remain stable with ongoing budget scrutiny being the new normal for many organizations. In Q4, we were pleased to see improvements in the new business although the upsell environment remained challenging with our net dollar expansion on a constant currency basis at 105%, down from 106% last quarter. While there continues to remain room for improvement from smaller customers, LTM revenues from customers spending $25,000 or more with us increased by 12%. In terms of product contribution to bookings, Patch Management and CyberSecurity Asset Management combined made up 12% of total bookings and 22% of new bookings in 2023. In 2023, the increased adoption of these products resulted in over 50% growth on a combined basis. Our Cloud Security solutions made up 5% of 2023 bookings, led by our natively integrated TotalCloud CNAPP offering. Turning to profitability. Adjusted EBITDA for the fourth quarter of 2023 was $65.8 million representing a 46% margin compared to a 42% margin a year ago. Although operating expenses in Q4 were largely unchanged, up only 2% to $59.5 million. Sales and Marketing expenses increased by 12% with us, closing out the year with 438 Sales and Marketing headcount, up 16% from last year. EPS for the fourth quarter of 2023 was $1.40, and our free cash flow was $32.3 million. Free cash flow for the full year 2023 was $235.8 million, representing a 43% margin compared to 37% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys including $1.5 million on capital expenditures and $23.1 million to repurchase 140,000 of our outstanding shares. As of the end of the quarter, we had $83.7 million remaining in our share repurchase program. We’re pleased to announce that our Board has authorized an additional $200 million share repurchase program, bringing the total available amount for share repurchases to $283.7 million. With that, let us turn to guidance, starting with revenues. For the full year 2024, our revenue guidance is $600 million to $610 million, which represents a growth rate of 8% to 10%. For the first quarter of 2024, we expect revenues to be in the range of $144.5 million to $146.5 million representing a growth rate of 11% to 12%. This guidance includes an estimated 1% reduction to revenue growth in 2024 from sunsetting our embedded solution for Microsoft Defender, effective May 1. Earlier this year, Microsoft Defender for Cloud users using Qualys solutions were notified that we will be retiring our integration on Microsoft Defender and transitioning to a BYOL model. With this change, these customers will be able to leverage Qualys TotalCloud CNAPP to effectively manage their security risk for cloud and container workloads. Although this strategic shift is estimated to result in a short-term negative impact to revenues, we believe it will be key to delivering long-term value to consumers. Normalized for this change, our revenue guidance for the full year 2024 would have been 9% to 11%. Shifting to profitability guidance. For the full year 2024, we expect EBITDA margin to be in the low 40s, implying approximately a 20% to 25% increase in operating expenses similar to increase in investments in 2022 and free cash flow margin in the mid-30s. We expect full year EPS to be in the range of $4.95 to $5.27. For the first quarter of 2024, we expect EPS to be in the range of $1.27 to $1.35. Our planned capital expenditures in 2024 are expected to be in the range of $15 million to $20 million, and for the first quarter of 2024, in the range of $3 million to $5 million. In 2024, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, enhancing our partner program, expanding our federal vertical, and supporting sales while maintaining a disciplined approach to unit economics. As a percentage of revenue, we expect to prioritize an increase in investments in sales and marketing as well as related support functions, systems, and people with more modest increases in engineering and G&A. As we increase our focus on sales and marketing enablement, customer success, and productivity in response to a more stable selling environment, we believe we will be able to drive wallet share and long-term returns while balancing growth and profitability. In conclusion, in 2023, we delivered healthy top-line growth and industry-leading profitability in the wake of a challenging macroeconomic environment. We continue to lead with product innovation and announced an exciting new roadmap for the Qualys Enterprise TruRisk Platform. We are confident in our ability to deliver on our growth opportunity long-term and remain committed to maximizing shareholder value. With that, Sumedh and I would be happy to answer any of your questions.

Thank you. Our first question comes from Josh Tilton from Wolfe Research.

Thank you for taking my questions. I have two quick ones. First, regarding the strong billings growth in the quarter, I know you mentioned it as a one-off in your prepared remarks. Could you provide more details about the one-off early renewal? Also, I understand it’s early, but you should still be able to recognize it in revenue. Should we think about it as revenue growth or guidance being lower if this early renewal had not occurred in Q4?

So in terms of early renewal, we booked it earlier. And typically, when we book early renewals, it's combined with an upsell. So it actually doesn't have a rev-rec impact earlier in the period, because we closed the deal earlier. So the revenue recognition as an example, if it was an early renewal that was supposed to renew on January 1, and we renewed it on December 1, because the customer wanted to have an upsell combined with the renewal and we closed the entire deal on December 1, because that's what the customer preferred. The early renewal piece, even though it impacted the billings, because we would invoice for the total amount, wouldn't have had an impact on the revenue into Q4.

Super helpful. And then I guess just my follow-up is really appreciate the clarity on the Microsoft partnership and its contribution to revenue. Could you maybe just dive one level deeper? Obviously, the short-term negative is a clear impact, but how you guys envision this being more of a long-term positive for Qualys?

That's a great question, Josh. I think if you look at what VM has evolved quite a bit over the last few years, and the VMDR that we came out with, which took the scan-only VM and evolved it into multiple other additional capabilities, including inventory and threat detection as well as certificate management giving an ability to patch systems. VMDR really in my mind set the standard for what end-to-end modern VM needs to be. And so with the relationship with Microsoft, the particular integration was the legacy scan-only VM that they were leveraging. Moving to the full BYOL allows us to work with the customers to bring the full VMDR license into the Azure environment. And with that full VMDR license, it allows us not only to sell them VMDR but also enables us to have conversations with them about CSAM, Patch Management, File Integrity Monitoring, TotalCloud upsell, because today Cloud Security is evolving and integrated CSPM with Vulnerability Management, which we provide, is significantly better than just getting ACV list out there. As the partnership evolves, we will be taking Defender data into our new TruRisk platform that we are working on as well as pushing Qualys data into Copilot for a different type of insights that Microsoft provides. The BYOL still gives that integrated experience and the ability to embed the Qualys agent just that the licensing then comes to Qualys and does not become sort of an embedded thing that we don't really have access to.

Makes sense. Thank you so much.

Thank you. One moment for our next question. Our next question comes from the line of Jonathan Ho from William Blair.

Hi. In terms of your investments in Sales & Marketing, can you maybe help us understand the magnitude of those investments and just given that you've got the new sales leadership here in place, what are some of the specific opportunities that you're seeing to make those investments? Thank you.

The way we're looking at the investment in 2024 is relatively in line with what we had in 2022. Back in 2022, we said that it was going to be an investment year. We had increased Sales & Marketing investment by approximately 25% back then and we have increased our Sales & Marketing head count by 22%. This is kind of what we're looking to repeat in 2024, especially given that we've only grown sales and marketing by 14% in 2023. Primarily, it will be driven by increasing the Sales & Marketing employee count, hiring for quota-carrying sales reps, as well as other support functions associated with that especially with a particular focus on the channel managers with our focus on partner first. Additional investment that we plan to make is related to anything that's like pipeline generating activities including marketing trade shows, events and partner enablement as well as sales enablement.

Yeah. We're pretty excited about what we're seeing with the response on our CNAPP solution with TotalCloud and then our Enterprise TruRisk Platform coming up. We're encouraged by what we're seeing for new logos that are coming to us and really interested in the cloud security solution, not just VMDR. We're going to also invest more in marketing around our cloud security solution this year in addition to the Sales & Marketing head count growth that we look at for 2024 as the way for us to invest into our platform.

Our next question comes from the line of Mike Walkley from Canaccord Genuity.

Good afternoon. It's Dan on for Mike. Thanks for taking the question. So in the prepared remarks you called out expectations of, I guess, shifting more revenue coming from the channel. Can you give us some additional color on what you're seeing with your channel partners and sort of how this is progressing following the hiring of Dino?

Yeah. We're pretty happy with Dino having come on board. We also hired in Q4 an SVP of channels who's really working closely with us. As we look into 2024, we're encouraged by the mix we are seeing between partner vs direct, and we're going to continue in 2024 to invest with our partners. There's the next phase of our partner program that we are planning to roll out in a couple of months as well. As you see some of these additional partnerships that we are making, whether it's with Orange Cyber Defense or Kudelski, taking on our additional solution like Patch Management as well to take it to market. We're investing in hiring some partner-focused marketing as well as partner-focused product management roles internally. Overall, we are encouraged by the conversations we're having with our partners and seeing sort of the contribution they are making. We have a good comprehensive plan this year to invest in our partner ecosystem including focusing really on net win logo generation and working with our partners to help generate that pipeline for us and work with them on most of our net new logos.

All right. Thanks for the color. And just as a quick follow-up, maybe for Joo Mi. How should we sort of think about the potential timing for the increased Sales & Marketing investments? Should we anticipate maybe the step-up in cost to be more back-end loaded or kind of just progress throughout the year evenly?

I think what you could assume is progress evenly throughout the entire year, but it will be more heavily weighted in the second half than the first half.

Thank you. One moment for our next question. Our next question comes from the line of Brian Colley from Stephens.

Hi. Thanks for taking my questions. Could you talk about what your win rates look like in the CNAPP space today kind of what you view as your biggest competitive differentiation in that space whether or not you see CNAPP becoming a source of new lands rather than just landing with VMDR in the future?

Great question. With our CNAPP solution with TotalCloud, I think the biggest differentiator that we see right now is that cloud is not the only infrastructure that customers deploy. Many cloud-only security solutions do not give them the full perspective of the risk that cloud environments have. As an example, if a cloud environment access is on a laptop of a particular admin employee and that laptop has certain vulnerabilities and risk configurations that can lead to a compromise, that can then lead to a compromise in the cloud. It's too early right now to call out win rates because we just recently launched it and now we have released additional updates. What we do see is that customers really want to see a comprehensive view of their risk, not just in cloud environments, but across different environments. Our ability to tie the different components of cloud and non-cloud together to give them a more holistic risk score is something that they are excited about. We are seeing net new logos coming because of interest in the cloud security solution or first-time buyers directly coming in and buying the TotalCloud solution from us, not just the VMDR solution. That's encouraging, and that's where I'm looking forward this year to invest more in our cloud security and generate more opportunities.

Got it. That's super helpful and definitely encouraging to hear. One for Joo Mi. I'm curious, what your expectations are for gross margins in 2024? And also just longer-term, if you kind of view low 40s as kind of the new normal for EBITDA margins or if you see other opportunities for leverage in the model to maybe start re-expanding margins again beyond this year.

Yes. In terms of the EBITDA margin, what we said before was, I mean if you take a look at our 2023 EBITDA margin was up 47%. It was clear to us that obviously, there's room for us to reinvest back into the business in light of the changes that we're going through right now and opportunities ahead. For 2024, we believe that this is an appropriate guide as we continue to ramp the investment in Sales & Marketing and catch up on some of the investments that we had planned earlier in 2023. Longer-term, it's a little too difficult to say because if we think that there's really an opportunity where there is a high ROI in an investment area, it makes sense for us to trade more of that margin with the growth, but that model would have to work out for us to really change our new targets.

Thank you. One moment for our next question. Our next question comes from the line of Trevor Walsh from Citizens JMP Securities.

Great. Thank you for taking my questions. Sumedh, maybe just a couple for you. On a real high level, what are you seeing from a budget perspective as we're kind of starting out 2024 just broadly within security? And then I can have – just depending on how you answer, I have a follow-up around VMDR if I can.

Got you. So yes, we are really not seeing a big change in terms of sort of the budget or the amount of time it is taking for customers to do a POC or even after they do a POC and the timing of when they will actually make a purchase or the size of the purchase compared to the initial start of the POC. I'm really not seeing much of a difference. Q4 we saw a couple of customers who were able to close the projects they had started with us for a while but that isn't translating into any major investment increase in their cybersecurity investment in 2024. There is a little bit more sense of stability in that they sort of have an idea of where they land, and more optimistic that their budget will not be taken away in the middle of the year. In terms of VMDR, we are very happy with where it is. It has reached a point where we will see its continued sort of incremental growth. Our focus really is on how to leverage VMDR deployments and work with those customers for additional up-sells on agent-based solutions. I'm excited about the ability we introduced where any existing Qualys Cloud Agent can immediately be turned into a listener on the network to find additional communicating devices that are not part of the Qualys inventory. With that, customers have immediate access and the ability to leverage that agent to find new assets they did not know about and quickly add them into the Qualys subscription.

Great. Appreciate the color. Thanks.

Thank you. One moment for our next question. Our next question comes from the line of Yun Kim from Loop Capital Markets.

Hey. Great. Sumedh, just like you said VMDR adoption has been steady. Cloud Agent deployment seems to be steady here, over the past several quarters. You have Patch Management, Cybersecurity Management Solution consistently doing well. I know you have guidance for the year, but I am assuming you are hoping to do better. Do you feel that the incremental sales and marketing investments and new go-to-market motion could drive that upside to your guide? Or do you feel that you need another new killer product to jump start the growth?

We have no lack of products at Qualys, right? We continue to innovate and work with our customers to make sure that we align our go-to-market with that. CyberSecurity Asset Management and Patch Management are continuing to do well over multiple quarters. I'm pretty excited about the opportunity that we are generating with TotalCloud and our CNAPP solution. We are also looking forward to do more investments in marketing to generate more opportunities. We launched the TruRisk platform, and so that product is going beyond just Qualys. It provides a unified view of their entire risk score, allowing us to get customers to look at getting multiple modules from Qualys in one go rather than having to go module-by-module. This will enable us to engage customers in a more meaningful way.

On Azure and hyperscalers in general, are you getting increasing traction with your marketplace or app store offerings?

On the Azure marketplace, we have the BYOL model. We have many enterprise customers leverage Qualys directly in Azure without going through the marketplace, as we have millions of agents today running in Azure that are through our enterprise customers already. The BYOL is one channel for us, but many of our enterprise customers are using Azure already coming to us for a more holistic security solution across multiple clouds, on-prem platforms, laptops, etc. We will continue to see how that channel evolves, but it's too early to say right now.

And then Joo Mi, real quick, any insight into any ASP trend in the quarter? And how do you see that metric trending this year?

The average deal size is growing by double digits, and we expect it to continue into 2024.

Thank you. One moment for our next question. Our next question comes from the line of Dan Bergstrom from RBC Capital Markets.

It's Dan Bergstrom for Matt Hedberg. Thanks for taking my question. You called out a couple of Fortune 500 wins in the prepared remarks and looking at the earnings materials, it looks like you've had some nice incremental adoption in that Fortune 500, the Global 2000 over 2023. Can you help us with what drove that incremental traction at the upper end of the market? Was it a product? Partners? Reach?

I think it's a combination of all, but I would say that Qualys generally does really well on the enterprise side in terms of solving complex problems. As our Cybersecurity Asset Management product and Patch Management have matured, customers are seeing value beyond just vulnerability management. There was a hesitation at the beginning to say, 'will the VM buyers buy patch management from a VM vendor?' But now, seeing the results and customers discussing their success drives focus on these modules and additional upsell. We have a couple of partners providing patch management-as-a-service based on Qualys patching in addition to VMDR, and partners are helping us have these conversations with customers.

Thank you. One moment for our next question. Our next question comes from the line of Aidan Perry from Piper Sandler.

This is Aidan on for Rob Owens. Thank you for taking my question. I just wanted to ask, if you could touch upon the comments made with the sales mix geographically. Can you elaborate on the comments made to keep the US and foreign sales mix around 60/40 and the thought process on foreign investments in the future?

The way we're thinking about it is we have a huge opportunity because we have a large target addressable market. Majority of our growth will be driven by our platform play. Patch Management, CSAM, TotalCloud, all of these products are relatively new to Qualys. We do plan on investing not only in Americas but also internationally as well. We expect the growth to continue as is. If you take a look at prior years, there have been periods where international revenue growth was faster than the US and vice versa. That’s why we gave the guidance we expect approximately similar 60-40 going forward based on our investment plan for 2024.

Thank you. One moment for our next question. Our next question comes from the line of Shrenik Kothari from Baird.

Yes. Thanks for taking my question. Sumedh, you highlighted the TruRisk platform and how it's aligning with the customer priorities under these tighter budgets with the CISOs getting to monitor the ROI. You mentioned positive early feedback and how it emphasizes the platform's potential. Now, you mentioned about capitalizing the rolling up of multiple modules. Are you considering a model where you could monetize the dashboard as a stand-alone payment SKU given the demand potential?

Yes. I think we're still early in the game to have a specific pricing model that we have released. We are working with our customers to understand that. The advantage I see over consolidating products into standalone solutions is that customers already have Qualys. Instead of having Qualys and buying another solution to pull data into the dashboard, the operational challenge is significant. None of those solutions actually facilitate getting customers to fix those issues. Today, our focus is not on monetization of the dashboard itself, but rather on the ability for customers to consolidate multiple modules from Qualys. This dashboard enables additional upsell opportunities through Qualys solutions which allow for actionable insights.

Got it. Sumedh, that's super helpful. And just very quickly a follow-up for Joo Mi. You mentioned about the growth seen through channel partners compared to direct sales. Can you provide color on how that impacts the overall margin trajectory and margin guidance for the year?

Yes, no problem. It's already factored in. What's interesting for us is that when we started to really think about how to better our partnership with different channel partners. If you take a look at our mix, channel partners used to make up approximately 40% of our revenues, and that's trended to 41%, 42%, and ending 2023 was 43%. It hasn't had much of an impact on our gross margin. We think it will slowly continue to step up with it being 44% for Q4; we don't think that it will have a meaningful impact on our margins.

Thank you. One moment for our next question. Our next question comes from the line of Brian Essex from JPMorgan.

Hi. Good afternoon, and thank you for taking the question. Sumedh, my question is basically centered around SecOps and cloud security. The two segments that are seeing quite a lot of demand for growth across the industry. With your risk management strategy and expanding features in those segments, are you focused on shifting to lead with SecOps with cloud security and cross-sell risk management?

That's a great question. We are excited about the early results we are seeing in cloud security among new business, and there's comfort with pitching and providing POCs for the cloud security solution. We find that our sellers are very engaged with cloud security prospects who are showing interest in our TotalCloud solution. We are investing this year in specific marketing to bring in cloud security demand directly. We are focusing on providing a comprehensive solution that combines cloud, on-prem, and other environments, which we believe will resonate well with customers looking for holistic risk management.

Got it. Super helpful. And maybe a quick follow-up for Joo Mi. Any thoughts on providing metrics so we can track the emerging segments outside of the core VMDR risk management suite, such as cloud security? Just to gauge traction.

Yes, that's a good point. We'll think about it internally and as we do to disclose relevant metrics to provide more clarity and guidance.

Thank you. One moment for our next question. Our next question comes from the line of Hamza Fodderwala from Morgan Stanley.

Hi. Good evening. Thank you for taking my question. I just had one clarification regarding the Microsoft relationship. I understand they're a partner and a customer. Any comments around this Microsoft commitment to Qualys as a customer going forward?

We have a really good relationship with Microsoft. They are a partner with us and they internally use Qualys. Those are two completely different teams with different goals. The team working on Defender is looking at their solution while the internal team is focused on ensuring they get the best solution out there. At this point, the internal and external relationships with Microsoft contribute a low single digit percent to our revenue. We are continuously exploring opportunities to expand with Microsoft, but we have not seen any changes so far.

Thank you. At this time, there are no further questions. This concludes today's conference call. Thank you for participating. You may now disconnect.