Qualys, Inc. Q3 FY2024 Earnings Call

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Third Quarter 2024 Investor Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King, Investor Relations. Sir, please go ahead.

Thank you, Michelle. Good afternoon and welcome to Qualys' third quarter 2024 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest form 10-Q and 10-K. Many forward-looking statements that we make on this call are based on assumptions as of today. And we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

All right. Thank you, Mr. King. And welcome to our third quarter earnings call. Q3 was another quarter of rapid innovation for Qualys, reflecting our ongoing commitment to technology leadership, cybersecurity transformation, and successful outcomes for our customers. As I have focused on product management and marketing over the last few months, I have personally spoken to many Chief Security Officers who are struggling with too many security tools, creating overwhelming findings for IT and development teams. They feel pressure to articulate the ROI of their security spend and rationalize it in the context of risk to their organization to their CFOs, CEOs, and boards. Risk can only be mitigated if it is remediated and done in a timely manner. There is an immediate desire to stop playing risk whack-a-mole and establish a properly operationalized risk management process by implementing a modern risk operation center. At our recent QSC event in San Diego, we ushered in the next era of cybersecurity innovation by announcing the GA of our enterprise risk management solution, which is the world's first cloud-based Risk Operations Center. ETM transforms siloed data into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data from several technology design partners, including Wiz, AWS, Microsoft Defender, Oracle, Okta, and Forescout. The result is a single, comprehensive, AI-powered platform that aggregates security findings, unifies threat intelligence, and provides organizations with actionable, enterprise-wide insights to prioritize and remediate cyber risks with unique business context and financial impact through cyber risk quantification. Unlike some exposure management platforms in the market that only expose risks based on data their sensors collect, Qualys ETM provides a comprehensive risk view that goes beyond vulnerabilities across code repositories, on-premises environments, the cloud, container, remote endpoints, identity, operational technology, and IoT findings from multiple existing security tools while offering patching and remediation capabilities. With ETM, Qualys has set a new gold standard in the industry for proactive cybersecurity risk management. ... Cyber risk orchestration is coordinated, quantification is comprehensive, remediation is transformed, and enterprise-wide ROC at scale is a reality. We see many parallels between this new market opportunity and the early days of VMDR, including a significant greenfield opportunity and being early to market. I encourage all of you to watch the video describing our ETM powered ROC in more detail at qualys.com. We also announced the mROC, which will enable many managed service providers to deliver services on the Qualys ETM as a managed Risk Operations Center. Lastly, we announced that a cyber insurance company will provide Qualys ETM customers with additional discounts on their premiums for lower TruRisk scores shared directly from ETM, allowing customers to transfer residual risk to their business. With a ROC delivered by Qualys ETM, we are now empowering C-level executives and security teams with out-of-the-box, instant, and actionable insights into trending risks specific to their vertical and mapped to their own data to preemptively identify prevailing threats well in advance of potential security incidents. With this new app, which we call TruLens, going GA soon, CISOs and security teams are immediately notified of potentially impacted IT and OT assets within their environments, the materiality of those assets to their business, the associated impact on their overall risk score, and are equipped with the ability to make remediation frictionless and immediate with a simple click of a button. ... Alongside several other exciting announcements at QSC San Diego, we were pleased to commence GA of both our TruRisk Eliminate and Qualys TotalAI capabilities, marking another milestone in Qualys' 25-year history of cybersecurity innovation. We are pioneering these categories, and both are key differentiators on our platform. These new approaches to cybersecurity risk management, along with several others on our roadmap in the coming quarters, arm our customers with the tools necessary to navigate an increasingly complex threat and regulatory environment, streamline security operations, and reduce costs. Moving to our business update, with many of our customers already embracing Qualys to help rearchitect and consolidate their stack, Qualys' VMDR has translated into an enviable customer base, broad adoption, and notable industry recognition. ... As recently announced, Qualys' VMDR with TruRisk was recognized by GigaOm as a comprehensive risk-based approach to vulnerability management and a leader in the category for the fourth consecutive year. We believe Qualys' placement as a leading vulnerability management solution further validates our investments in the platform and continues to represent the high-water mark for securing customer environments today and in the future. Given Qualys' demonstrated track record for delivering greater value to customers, our VMDR solution with TruRisk is not only fueling new logo lands but also helping to increase platform adoption, especially in Cybersecurity Asset Management with EASM, Patch Management, and Cloud Security. Let me share a couple of recent wins, which illustrate why companies turn to Qualys to help consolidate their security tools and fortify their security operations. ... In Q3, one of my favorite wins was a large federal government agency becoming a Qualys customer. This new customer was previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their security, IT, and DevOps teams. In addition to the complexity of using multiple point solutions, this government agency was frustrated with increasing costs associated with on-prem deployments, the inefficiencies of operating siloed systems, and elongated remediation efforts. ... Looking to migrate to a natively integrated, cloud-based, FedRAMP High Impact Level Ready solution that meets the CISA Binding Operational Directives, we displaced five of their existing vendors in a seven-figure bookings deployment using multiple Qualys modules right out of the gate. These initial deployments included Cybersecurity Asset Management with EASM, VMDR with TruRisk, Patch Management, Policy Compliance, and EDR. Through this highly strategic and competitive win, this customer is now able to leverage unified dashboards that provide them with greater insights and automation than any of the competitive products they evaluated, while taking full advantage of a natively integrated platform. ... This win, alongside a separate seven-figure upsell with an existing large government agency customer and a significant state win, is a testament to our ongoing investments to expand our federal, state, and local government business in the United States. Continuing our global platform expansion, I’m pleased to announce that IRAP in Australia has recently assessed Qualys at the Protected level. This achievement opens the door for Australian government agencies and commercial organizations looking to comply with the ACSC Essential Eight strategies as well as their PSPF requirements to meet their country’s most stringent security and compliance standards. Our successful assessment follows Qualys' approval as a cybersecurity service provider to the Victorian state government for vulnerability management services. ... Qualys was selected through a highly competitive and extensive vetting process and is being bundled into a managed service delivered by E&Y. Turning to the momentum we're seeing with our TotalCloud CNAPP solution is a mid-six-figure bookings upsell with a financial services company in the global 200. This existing VMDR and CSAM customer selected TotalCloud to scale their container deployments to over 70,000 hosts, monitoring millions of Kubernetes container images daily. ... Through its evaluation of competing cloud security providers, this customer determined that alternative point solutions added complexity to their operations, lacked integration, and missed detections, which hindered their ability to assess risk and consolidate their security tools. Today, through a highly scalable, natively integrated CNAPP solution, this customer is leveraging the Qualys Enterprise TruRisk Platform to combine runtime insights with proactive risk management while actively detecting anomalies, preventing zero-day attacks, closing compliance gaps, and remediating risk with ITSM integration through a single dashboard from code to cluster. These capabilities provide the visibility, automation, and cloud hygiene necessary to defend against today's adversaries and represent a significant long-term growth opportunity for Qualys. ... Our growing leadership in the cloud market was also recently recognized by Gartner in its July 2024 Market Guide for Cloud Native Application Protection Platforms. With seamlessly integrated solutions delivered natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time, and costs less. As a result, customers spending $500,000 or more with us in Q3 grew 15% from a year ago to 200. Consolidation isn’t just happening with customers; it’s also embraced and prioritized by our partners, where we continue to see an increase in new customer deal registrations and cross-sells. ... We believe the expansion of our partner program continues to reflect our strengthening brand awareness and strategic position in the market. In summary, we believe our natively integrated platform that comprehensively measures, communicates, and remediates cyber risk brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise TruRisk Platform. ... With a unique opportunity in this environment to further strengthen our strategic position as the partner of choice for customers looking to rearchitect and consolidate their security tools to solve modern security challenges, we believe we can continue to grow long-term, maintain best-in-class profitability, and invest in key initiatives aimed at further extending the gap between Qualys and the competition. With that, I’ll turn the call over to Joo Mi to further discuss our third-quarter results and outlook for the fourth quarter and full year 2024.

Thanks, Sumedh, and good afternoon. Before I start, I’d like to note that, except for revenues, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to third quarter results, revenues grew 8% to $153.9 million with channel continuing to increase its contribution, making up 47% of total revenues compared to 43% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 17%, outpacing direct, which grew 1%. By geo, 14% growth outside the U.S. was ahead of our domestic business, which grew 5%. U.S. and international revenue mix was 58% and 42%, respectively. In Q3, we saw some stabilization in the selling environment but believe ongoing budget scrutiny will persist for the foreseeable future. Reflecting this sentiment, our gross retention rate remained largely unchanged at approximately 90%, but with stronger upsell performance, our net dollar expansion rate came in higher at 103%, up from 102% last quarter. We continued to see a positive growth trend in new business, achieving a double-digit growth rate for the fifth consecutive quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 15% of LTM bookings and 24% of LTM new bookings in Q3. Cloud Security solution, TotalCloud CNAPP, made up 4% of LTM bookings. The foundational theme underpinning these results is the power of our Enterprise TruRisk Platform to help customers consolidate cybersecurity at scale. Turning to profitability, reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2024 was $69.7 million, representing a 45% margin, compared to a 48% margin a year ago. Operating expenses in Q3 increased by 12% to $61.8 million, primarily driven by an 18% increase in sales and marketing investments aimed at capturing the market opportunities in front of us. As we continue to increase our investment intensity and focus on sales and marketing enablement, customer success, and productivity, we believe we will be able to drive wallet share and long-term returns. EPS for the third quarter of 2024 was $1.56, and our free cash flow was $57.6 million, representing a 37% margin compared to 64% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $3.4 million on capital expenditures and $44.9 million to repurchase 344,000 of our outstanding shares. As of the end of the quarter, we had $185.7 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2024, we are now expecting our revenues to be in the range of $602.9 million to $605.9 million, which represents a growth rate of 9%. This compares to revenue guidance of $597.5 million to $601.5 million last quarter. For the fourth quarter of 2024, we expect revenues to be in the range of $154.5 million to $157.5 million, representing a growth rate of 7% to 9%. This guidance assumes lighter new business this quarter based on current pipeline and continued deal scrutiny from existing customers with no meaningful change in our net dollar expansion rate in Q4. Shifting to profitability guidance. Factoring in the better-than-expected profitability to date, we expect full year 2024 EBITDA margin in the mid-40s and free cash flow margin in the mid-to-high 30s. We expect full year EPS to be in the range of $5.81 to $5.91, up from the prior range of $5.46 to $5.62. For the fourth quarter of 2024, we expect EPS to be in the range of $1.28 to $1.38. Our planned capital expenditures in 2024 are expected to be in the range of $12 million to $16 million; and, for the fourth quarter of 2024, in the range of $5.5 million to $9.5 million. Adding additional context, we are currently making certain investments in some of our data centers to achieve greater operational efficiencies and reduce medium-to-long-term marginal costs. These investments pressured gross margin in Q3 by approximately 1%, and we anticipate a similar contraction in Q4. With respect to operating expenses, in Q4 we expect to continue to prioritize an increase in investments in Sales & Marketing aimed at driving more pipeline, supporting sales, enhancing our partner program, and expanding our federal vertical with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

Thank you. And our first question comes from Jonathan Ho with William Blair. Your line is now open, sir.

Congratulations on the strong results. Sumedh, can you talk a little bit about some of the changes that you've implemented on the product marketing side, and maybe help us understand what that impact could be moving forward? It seems like your CNAPP products did quite well this quarter.

Yes, thank you. Great question. I think where we see the opportunity really is aligning overall messaging around the different modules to the messaging around business risk and risk quantification that we have been emphasizing. Our focus has been on realigning our messaging to the risk narrative instead of just individual modules and products. Of course, this is a journey we have started, but really being able to have that quantification conversation with a single risk score across all the different capabilities in the platform is essential.

Excellent. And then, just for Joo Mi, can you talk a little bit about the strength you saw this quarter in terms of the net retention? And should we expect things to maybe trend towards this positive direction given the release of the new products and the new bundles that you put together? Thank you.

Yes, we were really pleased with the outperformance, especially after a few consecutive quarters of a tick down in our dollar expansion rate. We're pleased to report that it's increased back up to 103%. Now, while we are optimistic in the longer term that we will see that continue to tick up, for guidance, we are assuming no material change right now.

And the next question comes from Roger Boyd with UBS. Your line is open.

I want to touch on the channel. You continue to sound pretty confident in the opportunities that are unlocking there, particularly with the new platform offerings with mROC. It's clearly shown up in the revenue numbers, but could you expand on the momentum you're seeing there and the extent to which the channel contributed to the strong 3Q billings growth?

Yes. At a high level, we are happy with the journey we started a year and a half ago around focusing more on our channel partners to bring business to us, increasing deal rates. We're seeing positive momentum there, and what we look forward to is embracing the partner strategy for both new business and upsells. For a long time, managed detection and response solutions have been a focus, but our partners now are excited to provide fresh services in cybersecurity that are relevant to the customers, especially around risk advisory services.

And our next question comes from Patrick Colville with Scotiabank. Your line is open.

Congratulations on a very healthy print. I guess I want to focus specifically on the current billings performance, which is highly impressive. Were there any deals pushed from Q2 into Q3 or any deals that were signed in Q3 that were maybe kind of pulled in for Q4? Were there any one-offs regarding the current billings performance?

There were, but not outside the normal course of business. In any given quarter, we do have some deals that get pushed out and then pulled forward. And so, it was a typical quarter from that perspective. With that said, when you take a look at current billing, it does get impacted by the billing schedule and customer contract terms. The 14% we just posted is higher than the bookings performance due to billing schedule fluctuations. For a more accurate view of business momentum, I would suggest looking at it on an LTM or year-to-date basis.

Very helpful. So, using an LTM basis is the right way to get a normalized view for next year? Should we expect more like double-digit performance like this quarter?

Yes, it's a little too early to be discussing next year, but given our current bills, I would say our guidance aligns with a revenue growth rate of 7% to 9% for Q4.

The next question comes from Kingsley Crane. Your line is open.

Really impressive results. I just want to get a little bit more granular on what drove the strength from a product perspective. It seems like with TruRisk and TotalAI, those will be more meaningful over the next quarters and years. Thanks.

Yes, great question. Look, we're happy to see we're in a good quarter. I think I'd like to see the pickup in the net revenue retention that we saw this quarter. Our investments in the federal space have been fruitful, and we've seen a positive trend in new business growth. We're also seeing positive early conversations with customers around TotalAI. IT teams are getting ready to deploy some form of AI, and they're coming to the security team for certification.

Great. That's really helpful. Sumedh, I just want to take a step back and circle back to the departure of Pinkesh, the Chief Product Officer in September, which had been planned. What have you learned operationally over the past couple of months? Do you feel you have the appropriate bandwidth?

Yes, I do. It's always good to see how getting people to talk to each other can greatly impact operations. As I stepped in, I was able to bring the product management and product marketing teams together quickly. We created a compelling brand around risk operation centers, which resonates well with our customers. Our evolution from just being a vulnerability scanner into a much broader platform for risk management is evident.

And the next question comes from Joel Fishbein with Truist. Your line is open.

Sumedh, to follow up on the product questions, I'm really interested in TruRisk Eliminate. What is the early feedback and when does it specifically go to market?

Thanks, Joel. TruRisk Eliminate is very promising. It's designed to provide mitigation capabilities without the need for patching. Many customers are looking forward to this solution, especially those in highly regulated environments. We rolled out this packaging this quarter, and we are optimistic about its momentum early next year.

And the next question comes from Rudy Kessinger with DA Davidson. Your line is now open.

Congrats on a strong quarter, particularly on revenue and billings. I'm curious about the revenue outperformance. Was upsell the primary driver, or were there any other contributing factors to the strong performance?

From an upsell perspective, it was more or less broad-based. We were pleased with our performance because the net dollar expansion rate finally increased back to 103%, primarily driven by upsell performance and our focused execution. Additionally, we are seeing momentum in new business bookings, which contributed to our success.

Okay, that's helpful. So, just to clarify, Q4 calculated billings growth is guided to 7% to 9%, correct?

Yes, Q4 calculated billings growth is expected in that range.

And our next question comes from Matt Hedberg with RBC. Your line is open.

With a lot of positivity from this quarter, can you comment on the durability of these trends? They seem to have an idiosyncratic nature versus more macro-driven.

The conversations we are having show that there's a real desire to consolidate tools and focus on business outcomes rather than just adding more alerts to fix. The momentum around features like the ROC and ETM is very genuine, even if macro conditions create scrutiny on deal cycles.

I would say current bills are guided towards mid-single digits, in line with our revenue growth expectations for Q4.

And our next question comes from Trevor Walsh with Citizens. Your line is open.

Sumedh, can you provide some insights into how customers view Qualys as a consolidator of risk management tools?

Customers are enthusiastic about the capabilities we offer as they can centralize their risk management in one comprehensive platform. We provide consolidated insights that enable board-level conversations about risk and the corresponding budget required to mitigate it. This approach resonates with customers and distinguishes us from other solutions in the market.

Great, thanks for the perspective. Joo Mi, if I can just ask about tracking the ROI from investments made in sales and marketing. What metrics do you use to measure their effectiveness?

We measure ROI through sales productivity, analyzing how much bookings each sales headcount generates. We are tracking our investment in channel efforts to identify which campaigns yield the most success moving into 2025.

And our final question comes from Shrenik Kothari with Baird. Your line is open.

Congrats on a really great quarter, Sumedh. Can you discuss the federal segment? You highlighted some nice wins in Q3, and what’s the outlook for the pipeline going forward?

Federal is a key focus for us. Our FedRAMP Medium certification has helped us gain traction, and we've seen interest in consolidating multiple tools into one Qualys platform. We're optimistic about this segment as we continue to build out our federal practice.

Very helpful. Just a quick follow-up. You touched on the billing schedule. Has anything changed compared to last quarter?

Current billings tends to fluctuate, and there was no significant abnormality in this quarter compared to previous ones, just typical deal pushes and pulls. A more accurate way to interpret this is on an LTM basis.

We would like to thank everyone for your participation. This will conclude today's conference call, and you may now disconnect.