Qualys, Inc. Q1 FY2024 Earnings Call

Good afternoon, and welcome to Qualys' First Quarter 2024 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. The factors that could cause results to differ materially are set forth in today's press release in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release, and as a reminder, the press release, prepared remarks and investor presentation, all available on the Investor Relations section of our website. So with that, I'll turn the call over to you, Sumedh.

Thank you, Blair, and welcome to our first quarter earnings call. Qualys achieved another quarter of strong revenue growth, solid profitability, and cash flow generation, reflecting our commitment to innovation and customer success. As cyber threats become more complex and regulatory demands increase, boards and executives are focusing more on the business outcomes of cybersecurity. This shift necessitates integrated security solutions for customers to effectively assess and enhance their security posture. We believe the Qualys Enterprise TruRisk Platform, which aims to reduce friction, risk, and cost, offers organizations a foundational risk management system and provides a competitive edge for both our customers and Qualys. Consequently, our VMDR solution with TruRisk is driving new customer acquisitions and increasing platform usage, particularly in areas like CyberSecurity Asset Management with External Attack Surface Management, Patch Management, and Cloud Security. In Q1, demand for VMDR was robust across the health care, technology, retail, and financial services sectors, with significant deal sizes. I’d like to share a few examples of how our customers are expanding their use of Qualys’ capabilities to streamline their security systems. One significant Q1 win was a high six-figure booking from a top business services company listed in Forbes 1000. This customer upgraded its VMDR and Patch Management deployments while integrating CyberSecurity Asset Management with EASM to identify outdated software, monitor infrastructural subdomains, and overhaul its IT security setup, consolidating multiple vendor solutions into a single platform. The enhancements they made to their security program included comprehensive asset management, risk scoring, ticketing, and automated patching within a unified dashboard, setting them apart from alternative technologies. Another success involved an existing Forbes 100 manufacturing client that standardized on the Qualys Enterprise TruRisk Platform, consolidating risk factors from different modules into a cohesive risk score with business context. This customer, already utilizing VMDR and total cloud services, faced challenges in connecting various asset management tools across subsidiaries. To improve visibility and management of risk, they shifted to Qualys by replacing their current asset management tool and expanding into our CyberSecurity Asset Management with EASM solution in a six-figure upsell. Now, they leverage multiple features of the Qualys Enterprise TruRisk Platform to assess and prioritize risk reduction initiatives, enhance organizational resilience, and provide reassurance to their CISO. Continuing to invest in our partner program remains a crucial part of our market strategy, enhancing our capabilities and driving new business for Qualys. Through these efforts, we’ve strengthened our partner ecosystem, including collaborations with two leading managed service providers in the U.S. One of these partners expanded its offerings to include our Patch Management capability, while the other has chosen Qualys as its preferred partner for a comprehensive suite of solutions across its federal and commercial sectors. This latter partnership highlights our commitment to growing our federal business, and we're eager to host our first public sector Cyber Risk Conference later this month. With nearly 50 partners already utilizing our new MSSP portal, we are well positioned to broaden our outreach to customers of all sizes. We also fortified our alliance with a major system integrator to promote our TotalCloud CNAPP solution. We believe that our growing partner program reflects our enhanced brand awareness and market position. Customers are increasingly recognizing how integrated solutions can effectively address modern security challenges, leading to better security outcomes and cost savings. Consequently, the number of customers spending $500,000 or more in Q1 rose 19% year-over-year to 192. Innovation has always been central to Qualys' mission. We are excited about our upcoming enterprise TruRisk Management application, which represents a significant expansion of our platform, building on the success of VMDR with TruRisk. This new capability will allow VMDR customers to move toward a more comprehensive cyber risk management platform beyond just vulnerability management. The enterprise TruRisk Management solution aggregates and normalizes vast amounts of data, correlates risk factors with assets and threats, visualizes and prioritizes risk, and streamlines remediation with just a click. These capabilities are all seamlessly integrated within a single dashboard, equipping Qualys with powerful tools to assess and manage risk across various environments. Our AI-powered insights are converting detected risks into actionable initiatives throughout our platform, enhancing organizations’ ability to reduce risk proactively. Feedback from CISOs at our recent QSC EMEA event emphasized their enthusiasm for our rapid deployment of new capabilities and their ability to monitor the ROI on cybersecurity investments. We also recently integrated MITRE ATT&CK Matrix Prioritization into the Qualys Enterprise TruRisk Platform, which combines threat intelligence with the MITRE ATT&CK framework. This advancement provides organizations with a comprehensive view of risks based on attack tactics and techniques. We believe this positions Qualys as the leading enterprise-scale solution for managing cyber risk effectively. Continuing our innovative streak, we've now unified cloud infrastructure entitlement management into our TotalCloud CNAPP solution, allowing customers to manage cloud resources more securely. Along with new capabilities for container runtime security and Kubernetes posture management, we are confident we have developed one of the most comprehensive cloud-native security solutions available. Lastly, I’m excited to introduce our CyberSecurity Risk Management 3.0 solution, featuring new capabilities for managing the external attack surface and integrating third-party assets for a complete view. This innovative approach to risk management enables security teams to overcome detection challenges and accurately associate unmanaged assets with their organization. Overall, customers acknowledge that security transformation is essential in today's heightened threat landscape. They are increasingly turning to integrated risk management platforms instead of piecing together disparate solutions. We believe our cloud-native platform that integrates various aspects of risk management positions Qualys for future growth and long-term shareholder value. Now, I will hand the call over to Joo Mi to discuss our first quarter results and provide an outlook for the second quarter and full year 2024.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year periods unless stated otherwise. Turning to first quarter results. Revenues grew 12% to $145.8 million with the channel continuing to increase its contribution, making up 45% of total revenues compared to 43% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 18%, outpacing direct, which grew 7%. By deal, 13% growth outside the U.S. was ahead of our domestic business, which grew 11%. Looking ahead, we expect our U.S. and international revenue mix to remain roughly at 60% and 40%, respectively. Turning to land and expand results. We continue to witness deal scrutiny persisting for many organizations with the upsell environment remaining challenging, resulting in a 104% net dollar expansion rate down from 105% last quarter. Offsetting this was a positive growth trend in new business, achieving double-digit growth rate for the third consecutive quarter. As we continue to prioritize increasing market share in 2024, we plan to launch new customer acquisition campaigns and incentives in addition to streamlining sales cycles and operations with better use of technology and systems. In terms of product contribution to bookings, patch management and CyberSecurity Asset Management combined made up 13% of LTM bookings and 23% of LTM new bookings in Q1. With the rapid pace of innovation associated with our TotalCloud CNAPP offering, our cloud security solutions made up 4% of LTM bookings. We attribute the success to an increasingly complex threat and regulatory environment that underscores the relevance of our Enterprise TruRisk platform to holistically assess, manage, and remediate risk. Turning to profitability. Adjusted EBITDA for the first quarter of 2024 was $69 million, representing a 47% margin compared to a 45% margin a year ago. Operating expenses in Q1 increased by 5% to $56.8 million, primarily driven by an 11% increase in sales and marketing investments. As we continue to increase our investment intensity and focus on sales and marketing enablement, customer success, and productivity, we believe we will be able to drive wallet share and long-term returns while balancing growth and profitability. EPS for the first quarter of 2024 was $1.45, and our free cash flow was $83.5 million, representing a 57% margin compared to 48% in the prior year. In Q1, we continued to invest the cash we generated from operations back into Qualys, including $2.1 million on capital expenditures and $18 million to repurchase 105,000 of our outstanding shares. As of the end of the quarter, we had $265.7 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenue. For the full year 2024, we are now expecting our revenue to be in the range of $601.5 million to $608.5 million, which represents a growth rate of 8% to 10%. This compares to revenue guidance of $600 million to $610 million from last quarter. For the second quarter of 2024, we expect revenue to be in the range of $147.5 million to $149.5 million, representing a growth rate of 8% to 9%. This guidance assumes continued deal scrutiny, resulting in a tougher upsell environment, partially offset by investments in the business to drive new customer growth. Shifting to profitability guidance. For the full year 2024, we continue to expect EBITDA margin to be in the low 40s and free cash flow margin in the mid-30s. We expect full-year EPS to be in the range of $5.06 to $5.30 up from the prior range of $4.95 to $5.27. For the second quarter of 2024, we expect EPS to be in the range of $1.27 to $1.35. Our planned capital expenditures in 2024 are expected to be in the range of $13 million to $18 million and for the second quarter of 2024 in the range of $4 million to $6 million. Consistent with prior guidance, for the remainder of 2024, we intend to outline our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, enhancing our partner program, expanding our federal vertical, and supporting sales while maintaining a disciplined approach to unit economics. As a percentage of revenue, we expect to prioritize an increase in investment in sales and marketing as well as the related support functions and personnel, with more modest increases in engineering and G&A. In conclusion, in Q1, we delivered healthy top-line growth and industry-leading profitability, while making progress in executing our long-term strategic agenda. With our comprehensive risk management platform, delivering immediate time to value for our customers, we're confident in our ability to deliver on our growth opportunity long term and remain committed to maximizing shareholder value.

It's Daniel on for Mike. So it seems like that dollar retention came down a little bit to 104%. I think you guys called out the tough upsell environment despite the new or, I guess, improvements in new additions. Can you just provide maybe some color for us on what's impacting your upsell business and some of the changes you're making to make some improvements here?

That's a great question. So with existing customers who have invested with Qualys and other security platforms, they are continuing to work with us to, in many cases, sort of optimize the spend that they have done with Qualys, continuing to get additional value. We talked a little bit about this last time; in some cases, they might be looking at adjusting some of the VMDR licenses, but bringing in patch management and CyberSecurity Asset Management as part of that, which is where you see the percentage of bookings that are going up. So overall, in the longer term, this is good because it gives us an opportunity to introduce additional products in smaller quantities right now that will help us get the upsells to be better and increasing in the future. But currently, the review times are long as they have been, and customers just continue to take longer to make decisions on larger projects where they're looking to bring on a whole new product from Qualys. And that's where we are working with them to, first of all, make sure that we are putting some of our marketing engine behind generating additional opportunities. We are doing a lot of CISO education right now. The CISO Connect programs we have recently launched have been quite helpful as we talk the language of risk management, which is really where our ETM platform is quite interesting for the CISOs. All our CISO events recently have been completely overlooked because they really want to come in and talk more about how Qualys is going to help them with cyber risk quantification and being able to look at cyber risk holistically and then eliminate that. So there are a few things that we're doing on that side. But right now, while new business, we're seeing good execution, we do definitely see opportunities for us to execute better in the tougher climate that we are seeing for upsells with existing customers.

Great. And just as a quick follow-up, maybe, Joo Mi, for you. Maybe could you walk us through some of the assumptions within your decision to narrow the full-year revenue guidance spend?

Yes. The primary reason why we decided to narrow was because Q1 became more or less in line with what we had anticipated at the midpoint of the revenue guidance. And the way we see it right now is, of course, we had hoped to do a little bit better with the net dollar expansion having ticked down by a percentage. The underlying assumption for the full-year revenue guidance is that we don't anticipate any material improvement in the dollar expansion rate today, especially because we do see continued challenges going at least into Q2. So because of that, we're assuming that net dollar expansion rate stays as is or maybe ticks down a percentage. On the new business, though, we are seeing some trends, and we were pleased to see the traction in the business today. But the law of smaller numbers means it is a smaller portion of our business, so even if it continues at the current growth rate that we see today, it won't have a material impact in terms of the uplift to revenue.

So for Sumedh, you mentioned that you're looking to expand the federal business and expand the public sector presence and kind of hosting your first public sector conference. Just curious, like, can you elaborate on the traction of the GovCloud platform, so far what trends are you seeing there? And how has it performed relative to your expectations? And can you discuss the opportunity that you see in terms of expanding it within the public sector?

Yes. Great question. The opportunity in federal is definitely large, and we are really working towards investing in the right way so that we can take advantage of that opportunity. From that perspective, we have recently hired a leader for federal that we're happy about. We have expanded our federal team. We have hired someone to focus on federal marketing. As you can see, we're really putting in place our first conference for federal, which already, we have over 200 people signed up, kind of more than what we were anticipating from a capacity perspective. So those are really positive signs. In the last few quarters, we've talked about certain wins that we have had with government, federal government agencies. The way we look at that is it's an extremely small percentage of our overall bookings, and we have a good opportunity to grow in that direction. We are making the right investments. But of course, as it is with the federal market, it takes time, and we are building the relationships with partners. As you can see, we signed up our federal partner that's taking Qualys and our patch management along with the VMDR. We invested in the FedRAMP program, so we have already FedRAMP moderate, which we have a large number of ATOs from many government agencies providing us ATO. We are on track now working with the PMO's office to get our FedRAMP High final certification. We are already FedRAMP high ready right now. So once we get our FedRAMP High certification, which we anticipate towards the end of the year, that will give us even additional opportunities to take our GovCloud platform deeper into more agencies that are looking to modernize their infrastructure and move to a federal SaaS platform from very heavily on-prem solutions. With the FedRAMP High, that will enable us to be the only FedRAMP High vulnerability and patch management combined solution available for these customers. As we saw with some of our federal wins, the reason for them to change out the current provider is because the current providers are only doing scanning and they have a separate patch management tool. Even in the federal government, some of the recent wins that we have seen have enabled us to feel confident in our direction. We can continue to take the Qualys combined platform with patch management, etc., and that's something that federal agencies are also looking for to reduce their tooling and expand into the cloud environment. It's an area that we are continuing to invest in. We're at the very early stages of that investment, and we are pleased with the traction that we are seeing in this early stage.

Got it. Helpful. And quick follow-up for Joo Mi. So you mentioned that you guys plan to launch new customer acquisition campaigns. Can you elaborate on whom you are targeting? And where is your increase in investment intensity in S and M going? Is it going to be more focused on sales incentives geared towards new logos, much more headcount growth, partnership investments, of course, public sector? Just curious how you're increasing the investment intensity there?

Yes. Our priority has been for a while to grow our new business. That's part of the reason we're really pleased to see the continued traction and momentum. The way we see it right now is where we've been really successful is on the enterprise side because that's where our strength is. However, we're pleased to see traction on both the enterprise and SME and SMB. The way we are trying to continue to invest to support that growth is, number one, we are planning to hire more sales reps to support that growth. That's one of our initiatives. We are planning to increase our sales and marketing headcount by double digits this year as we had planned before. That hasn't changed. Number two, our partner channel has been really successful for us. We're seeing increases in investments in several different fronts, including the MSSP portal that we just announced, as well as deal registration. It continues to be healthy and to increase, and we continue revisiting the incentive structure, whether it's partner or direct, to make sure that it's structured in a way to incentivize both direct and indirect sales forces to drive the new logo growth.

This is Joe Vandrick on for Patrick Colville. So it seems like cloud security is a big opportunity for Qualys. And you mentioned the CNAPP solution getting some solid market traction. Are you typically selling it as a bundle, or are customers deciding to buy each solution separately? And part two of that question, are you seeing stronger demand within any one area of CNAPP, for example, CSPM or workload protection or maybe something else?

Yes, that's a great question. Look, I think there is no organization out there that is cloud only. Every time they look at their infrastructure, they have to do cloud and non-cloud assets together. That's really where we see the advantage for Qualys: when they combine the VMDR capabilities on on-prem assets and then are able to use the exact same platform and expand that licensing into the cloud. It just makes it a lot more seamless. They get the benefit of higher volume pricing. It gives them the ability to combine the risks from their cloud and on-prem platforms together in one place. That's why it's interesting for us to see that even in our new logo lands, customers are starting to buy the total cloud solution combined with VMDR upfront in the first purchase itself. While it's early days, that's quite encouraging for us. We continue to work with our existing customers who have the VMDR to expand those capabilities into the cloud. In some cases, they don't have any good cloud security solution; in other cases, we are displacing some cloud-only solutions because they need visibility that is broader than that. Our pricing for the cloud solution, given that the assets are so ephemeral, allows flexibility in the way that they can consume the cloud licenses. They can use it for CSPM, for container security, and for cloud identity. The recent cloud identity module that we just announced is another expansion into the cloud-native platform, and so it's a maturity-level question for organizations. Organizations that are very early in the journey right now are focusing initially on the CSPM part of TotalCloud. Those who are more mature are also taking the workload protection part, and those who are going beyond that are also looking at other things like our ability to detect malware in the cloud in real time and our expanding capabilities into SaaS environments for SaaS posture assessment. Now we are looking forward to getting these customers access to our cloud identity entitlement management as well. There’s a lot we are focusing on driving from a marketing and sales enablement perspective to create more opportunities in the TotalCloud side, but we are pleased with the conversations and traction we’re seeing in the early days of this push.

That's helpful. And maybe one for Joo Mi, if I could. How should we think about capital allocation priorities over the next year? It looks like you bought back $18 million worth of shares in the quarter, which is a bit of a step down compared to last quarter and last year. So just curious what it would take to see you get aggressive on share buybacks.

The buyback is based on our current framework. We view it as a way to counterbalance the equity dilution from our grants. Over the past few years, our dilution has been consistently decreasing. As we look towards 2024, we expect to see more merger and acquisition opportunities, particularly at valuations that are favorable for us. We will assess potential acquisition targets as opportunities arise and take steps to leverage our balance sheet.

Can you hear me? I apologize for the background, as I'm at a small cybersecurity conference called RSA.

We can hear you.

I have two quick questions. First, could you discuss the billings growth for the quarter and whether it aligned with expectations? How do you anticipate billing growth for the rest of the year in relation to the revenue guidance you provided? Secondly, I'm interested in the new customer growth on your side of the business. I believe you mentioned three consecutive quarters of double-digit growth. How can I track that? What should I look for in your disclosures to see this reflected in the numbers? Is this growth primarily coming from partners or directly? I'd appreciate more details on the sources of this new customer growth and its sustainability, as well as how to better identify it in the financials.

Yes. In terms of current billings, 8%, we were hoping to do better. But honestly, I think that it's a fair representation of the business momentum that we see today because it does reflect the net dollar expansion rate having gone down by another percentage in Q1, offset partially by the continuing traction in the new business. I would say that if you were to look for guidance regarding the calculated current billings for the full year, we would say it would be roughly in line with our revenue guidance today, which is 8% to 10% for the full year. In terms of new business, the reason we decided to talk about new business this quarter is because we are seeing a trend like three consecutive quarters is something we thought was meaningful for us to highlight and disclose, and the majority of that is driven by our channel partners. So the growth is coming from channel partners, and I think that if you were to look at the magnitude, you can probably tell based on the current billings growth of 8%, net dollar expansion rate of 4%, and the rest would be coming from the new business.

I'm not showing any further questions in the queue. With that, this concludes today's conference. Thank you for your participation in today's conference. This does conclude the program, and you may now disconnect. Everyone, have a great day.