Qualys, Inc. Q3 FY2025 Earnings Call

Good day, and thank you for standing by. Welcome to the Qualys Third Quarter 2025 Investor Call. Please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Thank you, Briana, and good afternoon, and welcome to Qualys' Third Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thank you, Blair, and welcome to our third quarter earnings call. As threat actors continue to swiftly exploit vulnerabilities, the future of cybersecurity is shifting from attack surface management to risk surface management through Agentic AI-driven proactive risk management that quantifies business impact and automates remediation. In this context, we have performed well in Q3, reflected by another strong quarter of revenue growth and profitability. Over the past few years, I've had the opportunity to speak with hundreds of CISOs, CIOs, and security leaders globally. A common theme from these discussions is the necessity to translate cyber risk management into business terms to ensure budget allocation aligns with business risk. CISOs seek a practical approach to consolidate tools when achievable and empower their teams to utilize the best solutions where appropriate. They desire a seamless integration of their security toolset into a centralized risk framework, allowing for the effective management of multiple risk vectors to accurately assess, communicate, and eventually mitigate the organization's risk exposure. The Risk Operations Center, ROC, powered by Qualys ETM, fulfills this need. At our recently held Risk Operations Conference in Houston, where we highlighted the business risk dialogue with a specialized CFO and Board track, our customers supported this strategy. The agenda expansion for ROCon resulted in a 20% increase in attendance compared to last year's QSC event. While traditional security operations centers work to identify breaches post-occurrence, Qualys is leading the creation of the first Agentic AI Risk Operations Center, ROC, which aims to centralize an organization's threat response before any business impact occurs. Utilizing our ETM solution, the ROC processes several petabytes of high-quality data daily, standardizes and correlates information from both Qualys and non-Qualys sources, and enables AI and humans to collaborate in real-time to detect and respond to threats at unprecedented speed. This initiative focuses not on generating more alerts but on taking actions that eliminate vulnerabilities before attackers can take advantage. In contrast to conventional continuous threat exposure management tools that merely highlight vulnerabilities without sufficient remediation capabilities, our unique ETM solution integrates CRQ, CTEM, and native remediation operations to rapidly address the most critical risks at scale. By aligning security and IT strategies with business priorities, we provide organizations with measurable proactive risk reductions that are valued by Boards and customers alike. Early adopters are already supporting the model as POCs transition to commercial deployments, highlighting both the significance of this opportunity and its similarities to the early stages of VMDR. We are committed to maintaining this momentum. Our R&D team is continuously generating innovations, expanding our platform, and positioning Qualys for wider upsell prospects. We are also integrating several established module capabilities into ETM, enabling organizations to utilize them across their entire attack surface. By making trillions of security risks from Qualys and third-party tools, like vulnerabilities, misconfigurations, and identities, accessible through our ETM solution, we are creating an advanced predictive platform. This leverages our Qualys TruRisk framework, TruLens threat management features, and a ready-to-operate Agentic AI workforce that autonomously manages risks from discovery to remediation, fully integrated with IT service management. This distinctive set of capabilities identifies emerging threats in real-time, compares threats with peers, evaluates organizational impacts, and quantifies risks in actionable, business-relevant terms. Consequently, security and IT teams can effectively prioritize tasks and address threats based on the organization’s risk linked to new vulnerabilities, focusing on specific industries, asset types, and identities. We believe these latest enhancements to our ETM solutions strengthen our position in the market, improve security operations, and significantly speed up results for our clients. Next in line for our ETM solution, I am particularly excited about a new groundbreaking feature, TruConfirm. This feature harnesses the power of our platform to validate whether vulnerabilities are exploitable before customers face a breach. Through automated large-scale validation, we eliminate uncertainty for customers by executing safe exploits on the network to confirm if attackers could succeed in their attempts, thus bridging the gap between theoretical and actual vulnerabilities. This method enables customers to concentrate on prioritizing only exploitable risks for the next step—automated remediation with TruRisk Eliminate. Our leading-edge capabilities are increasingly acknowledged by our customers, partners, and independent analysts. Notably, at Black Hat, Qualys won two Pwnie Awards for our significant contributions to threat research, driven by our strong expertise in threat intelligence and triage. Additionally, GigaOm recognized Qualys as the leader in Patch Management, a sector we pioneered, having deployed over 140 million patches in the last year alone. While some competitors are still beginning to embrace this strategy, Qualys has far surpassed traditional patching. TruRisk Eliminate addresses the unpatchable dilemma, allowing IT and security teams to automate various compensatory controls for patches that are too risky to implement or simply unavailable. As adversaries increasingly exploit vulnerabilities at rapid AI speeds, our suite of AI-driven automated remediation solutions has developed into a significant adoption layer, creating a unique competitive edge and opening new market avenues for Qualys. Moving on to our business update, we have seen a 5% increase in customers spending $500,000 or more with us, now totaling 211. Allow me to share a couple of recent successes that illustrate why organizations focused on centralizing cyber risk responses are partnering with Qualys to unify their security solutions, assess, and mitigate risks in their environments, strengthening their security operations. In Q3, a notable win involved a Global 700 customer that had initially only engaged Qualys for PCI scanning. Like many organizations, they were overwhelmed with fragmented data, manual processes, and disconnected tools. With minimal automation in place, their teams found themselves spending more time on documentation than on risk reduction, burdened by an influx of compliance audits. This customer opted for Qualys to transform disparate risk signals from code repositories, endpoints, identities, cloud containers, and network assets into an integrated real-time risk management solution by consolidating both Qualys and non-Qualys data. This included replacing their existing vulnerability management vendor and acquiring three additional Qualys modules, including ETM, to start operationalizing the Risk Operations Center with integrated third-party data, which resulted in a mid-six-figure annual upsell. By merging these data sources into the Qualys platform, we are providing this customer a vendor-neutral orchestration layer offering complete visibility of their risk and attack surfaces, centralized risk management and prioritization, and effective remediation, while facilitating operational efficiencies in security stack consolidation tailored to manageable risk parameters for the business. With our innovative technology, unprecedented platform effects, and commitment to minimizing risk and friction, this example highlights Qualys' ability to surpass outdated siloed solutions and strengthen our industry leadership. It also exemplifies our collaboration with preferred managed risk operation partners to activate the Risk Operations Center with new business opportunities. In the next phase, this customer is considering our TotalCloud native CNAPP solution and TruRisk Eliminate as they also integrate more third-party tools into the Qualys platform, representing a significant upsell opportunity. Further leveraging our managed risk operation partner ecosystem has led to a new six-figure deal with a major airline in the Middle East. This customer selected Qualys for our unified risk detection and remediation capabilities through TruRisk Eliminate. Nearly nine months after launching the ETM solution and witnessing over 28 POCs transition to commercial success, we've garnered valuable insights regarding ETM pricing and packaging. For context, we anticipate ETM can yield up to a 100% increase for every $1 of VMDR, now that ETM also encompasses Cybersecurity Asset Management and additional ETM feature enhancements discussed earlier, along with third-party data ingestion. Consequently, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management long-term bookings to ETM customer penetration, as we believe ETM will become a crucial growth pillar for Qualys in the coming years. Regarding our federal business, we achieved a significant six-figure upsell with a large government agency. This customer had been utilizing multiple legacy and next-gen tools for a range of risk management needs across their security, IT, and DevOps teams. Alongside the complications of managing numerous point solutions, the government agency expressed frustrations with rising costs associated with traditional on-premise deployments, the inefficiencies of siloed systems, and drawn-out remediation processes. Facing a clear need to transition several monolithic workloads to micro applications across its hybrid environment using a FedRAMP high solution, this customer moved quickly to consolidate their security stack with over 17 Qualys modules, including VMDR, Cybersecurity Asset Management, TotalAppSec, TotalCloud, TruRisk Eliminate, and TotalAI. Currently, this customer benefits from a unified dashboard providing greater insight and automation than any competitive products they reviewed, taking full advantage of the agility and scalability of a cloud-native platform. Alongside a major seven-figure win at the state level, this highlights the strength and long-term growth potential we see in our federal, state, and local government business. Additionally, we are increasingly leveraging our partner ecosystem. In Q3, partner-led deal registrations rose, showcasing the effectiveness of our partner-first sales strategy. We have also certified nearly a dozen partners actively launching managed risk operation services, using ETM to enable centralized automated risk management before breaches occur. Momentum is building towards a global ROC alliance, and we anticipate certifying additional strategic partners in the forthcoming months who are dedicated to promoting Qualys as their managed risk operation partner of choice. Our flexible platform pricing model, Q-Flex, contributes to our platform growth efforts. We beta tested Q-Flex in Q3 to accelerate customer adoption of the Qualys Enterprise TruRisk platform. In less than a quarter post-introduction, we have seen notable customer interest and significant success. For instance, an existing Global 10 customer made a multi-year commitment under our Q-Flex program, boosting their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This win demonstrates our growing proficiency in risk management, and we expect Q-Flex's contribution to continue increasing. In summary, our persistent innovation, early ROC deployments, strategic gains in federal markets, momentum in partner-led initiatives, and early adoption of Q-Flex collectively highlight Qualys' strength in integrating risk management workflows, easing operational complexities for customers, and tackling today's most demanding security challenges. We believe these accomplishments validate our ongoing investments and position Qualys as a trusted leader in pre-breach risk management, setting the foundation for lasting growth and long-term success. Now, I will hand over the call to Joo Mi to discuss our third-quarter results and outlook for the fourth quarter and the full year 2025.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. Turning to third-quarter results. Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 7%. U.S. and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remain challenging with our net dollar expansion rate of 104%, unchanged from last quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP, made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago. Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives. With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date, free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase 366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2025, we expect revenues to be in the range of $665.8 million to $667.8 million, which represents a growth rate of 10%. This compares to prior guidance of $656 million to $662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million to $174 million, representing a growth rate of 8% to 9%. While we believe our platform approach to cyber risk management provides some insulation in macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance. We expect full year 2025 EBITDA margin in the mid- to high 40s, net free cash flow margin in the low 40s. We expect full year EPS to be in the range of $6.93 to $7, up from a prior range of $6.2 to $6.5. For the fourth quarter of 2025, we expect EPS to be in the range of $1.73 to $1.80. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 million to $7 million and for the fourth quarter of 2025 in the range of $1.2 million to $2.7 million. With that, Sumedh, and I will be happy to answer any other questions.

Our first question comes from Roger Boyd of UBS.

Awesome. Congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier? I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch? And just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward.

Yes, that's a great question. The ETM pricing will include Cybersecurity Asset Management because, when we talk to our customers about building any Risk Operations Center, having an asset inventory is essential for success. This was a significant piece of feedback we received. Additionally, we have introduced Agentic AI capabilities to help enhance their security teams with AI agents, allowing them to manage cybersecurity outcomes within their budget and optimize spending. Customers are continuously looking to optimize their cybersecurity expenses. We also provide focused threat intelligence to help validate exploits, which is part of the offering. The upsell we anticipate is that after using ETM to confirm inventory and verify that an exploit can work in their environment, they will purchase TruRisk Eliminate, which provides patching and mitigation features to address vulnerabilities. Ultimately, while we can enhance visibility, attackers often exploit vulnerabilities quickly, as highlighted in the recent Mandiant report, where exploits occur frequently within a day even before patches are available. The crucial aspect is having the ability to remediate and mitigate risks, even without a patch. To answer your question on pricing, we expect it to be up to 100% based on the inclusion of VMDR capabilities with CSAM, Agentic AI, and exploitation confirmation. From there, the upsell will enable them to achieve more tangible outcomes.

Our next question is from Patrick Colville of Scotiabank.

I want to ask two questions. First, regarding the Federal government, what are you observing in the early weeks of Q4, especially considering the shutdown? Second, I'd like to inquire about the competitive landscape. This is often a top concern from investors. Is the competitive environment shifting for Qualys with new entrants like CrowdStrike claiming to capture market share? Are you facing different competitors now compared to last year? While your win rates appear strong, could you provide more insight on this?

Yes, that's a two-part question, and I'll address both. First, regarding the federal side, we're in the very early stages and have committed to achieving FedRAMP high, which has initiated powerful conversations. I've been in D.C. for critical meetings to discuss the Risk Operations Center and its potential to enhance government efficiency. There’s a growing focus on efficiency, particularly in consolidating processes, and the Risk Operations Center resonates well with our federal clients. It's not just about the cost of the tool, but also the resources spent on addressing issues highlighted by the tool that may not even be relevant. We're seeing promising early discussions with many opportunities ahead, although some are taking a cautious approach due to current scrutiny. Nevertheless, our commitment to invest in the federal sector remains strong, with FedRAMP being our initial step, and we'll continue this investment following recent initiatives in D.C. On the vulnerability management and competition front, I was thrilled to see that Qualys achieved a leadership position in GigaOm's Patch Management, ahead of several competitors. What we've observed is that vulnerability management is shifting away from merely detecting more CVEs, as many organizations typically only resolve about 5% of those discovered due to information overload. While other companies emphasize finding more CVEs, Qualys is focused on helping customers narrow down their priorities. During our recent ROCon Conference, we illustrated how 62 million findings could be reduced to 2 million relevant findings through effective threat intelligence, and further down to 300,000 when applying business context. Our goal is to assist customers in identifying what truly matters and enabling them to address those issues promptly, especially since attackers can exploit vulnerabilities within hours. This momentum reflects our evolution, as customers appreciate our detection capabilities and accuracy. Furthermore, we’ve enhanced our platform to integrate data from other sources, like OT or EDR tools, to help clients focus on what's truly critical. The main challenge for our customers is to quickly remediate essential vulnerabilities rather than just discover more CVEs, which are often left unfixed. Overall, we recognize key competitors like Tenable and Rapid7, but our customers are increasingly prioritizing fast remediation over simply identifying more threats.

Our next question is from Mike Cikos of Needham.

I just wanted to double check and congrats on the quarter here. Was there any one-time benefits to revenue or CCP that we need to take into account on our side? And then secondly, as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at 104%. What needs to happen for that net dollar retention to actually start picking up from where we are today?

Yes. With respect to CCP, nothing specific to call out, it was a solid quarter. As usual, you do get some benefit or negative impacts from out-of-cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from 104% and upward, and this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, and we think that this could be a meaningful impact during the dollar expansion rate.

Our next question is from Kingsley Crane of Canaccord Genuity.

Congrats on a really great quarter. If we think about Agentic AI within the risk operations center, TotalAI within VM, and then the CNAPP suite, they all require significant development resources to how are you prioritizing R&D spend across those initiatives? And just what metrics do you use to evaluate resource allocation?

Yes, that's an excellent question. Our primary focus is on investing in research and development as well as sales and marketing. At the start of the year, we planned to hire a Chief Revenue Officer and increase our engineering staff to ensure we can deliver on our capabilities. I'm pleased with how our execution has been so far, particularly the efforts by our VP of Global Sales, Shawn, and his team, which have led to a solid quarter. Moving forward, we aim to enhance collaboration between our sales and product management teams for greater efficiency. On the R&D side, we've had great success incorporating AI into our development processes. For instance, we've nearly ceased hiring in quality assurance and are experiencing a 20% to 25% efficiency increase from our top engineers, who benefit the most from using AI. This integration allows us to add enhancements to the Risk Operations Center without significantly raising R&D expenses. We plan to continue leveraging AI while reinvesting in our business. At this stage, we don’t see a need to add a CRO, as the team is performing well and aligned with our objectives. In terms of R&D, we are rapidly rolling out innovations and will keep investing, but we will evaluate our spending through the lens of balancing personnel investments with AI tools to achieve the necessary efficiency, sometimes unexpectedly so. We are excited about the capabilities we can add to the Risk Operations Center and how we can utilize Agentic AI across various functions, not just R&D but also in sales and additional areas.

And just to add to that, we are extremely focused on making sure that we have the right team structured in the focus areas from a product development standpoint. We have different teams working on, whether it be a Total AI or ETM, and because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint, but we are making sure that we're working across different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Our next question is from Shrenik Kothari of Baird.

Echoing my congrats to the team. Sumedh, the TruConfirm announcement definitely sounds like a step function moving from, as we said, the risk scoring to automated exploit validation and at scale. Just curious: Do you envision this also becoming sort of a pillar like ETM as monetizing it standalone? Or do you think of it as becoming an on-ramp to move customers into broader ETM? And then just with the POCs converting and all the large enterprise consolidations you talked about, how should we think about the ETM trajectory ahead? And then I have a quick follow-up for Joo Mi.

That's a great question. At the end of the day, for effective risk management, you need to eliminate the correct risks. Simply creating dashboards and relying on visibility alone is not sufficient. To achieve this, you must gather data from various sources to obtain a comprehensive view while also incorporating threat intelligence. Traditional CTEM solutions, which have been in use for many years, often just consolidate data and present it, providing a theoretical perspective on potential vulnerabilities. With TruConfirm included in ETM, we go beyond the basic visibility provided by CTEM platforms by enabling actual confirmation of vulnerabilities, which sets us apart from those solutions. This capability is part of ETM and does not require an additional upsell. It allows us to transition customers from MDR to ETM, paving the way for further upselling to elimination capabilities. As attackers look to exploit vulnerabilities before patches are available, speed is crucial. You need to quickly identify and confirm vulnerabilities within your environment. The next step should be an automated, AI-driven fix to address these issues before attackers can take advantage. The Risk Operations Center is more than just a CTEM solution; it provides more than mere dashboards.

Got it. Super helpful. And Joo Mi, very quickly, Sumedh mentioned about the AI driver for automated remediation and orchestration scale into model mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that.

Yes. I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint. They will need assistance from the partner to really make sure that they are implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective customization that's required from an organizational standpoint. So with working hand-in-hand with the partner to help us accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side, and then layering on top that mROC, professional services or additional implementation help that customers might see will help to accelerate that revenue growth and the ETM penetration.

And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings calls where an mROC partner brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines because they were excited about, not because of just a margin here or there, but they were excited about the ability to provide high-value risk management services to their customer. If they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Our next question is from Junaid Siddiqui of Truist Securities.

Great. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

I believe there isn't anything particularly noteworthy to mention. Demonstrating the platform's value by utilizing data from tools that customers already have can be advantageous, rather than requiring them to deploy our agents and scanners everywhere to recognize the benefits of Qualys. Additionally, the pricing structure may encourage them to consider phasing out their current solutions over time. Currently, we are in the early stages, but we are observing considerable enthusiasm, especially following the ROCon Conference and the product advisory board meeting with several top banks. The feedback reflects a lot of excitement about the Risk Operations Center as a focal point, rather than merely replacing scanners. This is something they feel they can quickly justify. It's new, and everyone is exploring it this year, which allows them to plan their budgets accordingly. Some have budget available now, while others are preparing for next year's expenditures. Overall, the discussions have been quite positive. Our aim is to not only integrate the Qualys findings into ETM for existing customers, but also to create enough value that encourages them to incorporate additional findings and assets not currently managed by Qualys. We are already witnessing this with some of our early adopters who initially brought Qualys VMDR findings into ETM but soon began to integrate twice as many assets into Qualys from other tools, thus increasing their ETM license count. As we move forward, we see this approach facilitating quicker proof of concepts, allowing us to work with customers who already have a competing VM scanner by ingesting their data and demonstrating business value, instead of pursuing lengthy proof of concepts that require deployment of agents and scanners. While it's still early, our initial engagements have been quite exciting and have progressed rapidly.

Our next question is from Joshua Tilton of Wolfe Research.

Congratulations on a strong quarter. I've been participating in several calls, so I have a broad question. We cover three publicly traded vulnerability management vendors, and I'm noticing that your growth rates vary. My question is whether these differences in growth are due to changes within the vulnerability management market, leading some of you to grow faster or slower, or if the variations in growth rates are a result of some of you pursuing broader platform strategies that include non-vulnerability management products, which may be creating a clearer distinction in growth among the three companies. If it's the latter, can you clarify which non-vulnerability management products are driving the growth difference that we see at Qualys compared to the others?

Some of us have an outstanding organic platform, which is why we are growing at a different rate. Over the past few years, we have acknowledged that vulnerability management has been evolving; people are now focusing more on prioritization and remediation rather than just scanning. This is why we shifted our focus to Patch Management a few years ago, and we achieved the number one position in GigaOm's analysis for Qualys, which we accomplished in just four years among established players. We are also moving towards enhancing ETM to not only collect data from our own tools and others but to prioritize that data using threat intelligence, which we have received awards for. Additionally, we can confirm vulnerabilities are exploitable and ensure they are fixed. We have reported the growth of Eliminate and Patch Management as a significant portion of our last twelve months' bookings. Starting from the earnings call for Q1, we will focus on increasing our ETM penetration within our customer base, evolving their experience from VMDR to a broader Risk Operations Center while upselling Eliminate capabilities to resolve issues. Our customers are increasingly focused on aligning their cybersecurity spending with business objectives, viewing risk from a business standpoint. Our organically developed platform, which integrates various components seamlessly, provides customers with a clear and straightforward understanding of their actual risk and the ability to remediate threats before they occur. In contrast, competitors who rely on several acquisitions and separate tools face challenges in achieving that level of quick response, and this is the feedback we have received from our customers.

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize, but any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Yes. I think that Q4, because it was a very strong quarter, is a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe if you think about it from the like 2025 full year current billings growth at around 8%.

Our next question is from Jonathan Ho of William Blair.

This is Garrett Burkam on for Jonathan. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing installed base? And then also, can you just talk about how customer conversations are going with your mROC solution at this point? Just what traction you're getting there?

Sorry, I didn't get the first part of the question again. So you're asking for the contribution from...

Yes, like new modules and new customers versus upselling your existing base in your existing modules?

Yes, every customer is at a different stage in their journey, so we don’t break it down by individual modules. We have shared insights on the contribution of TotalCloud, our cloud-native CNAPP solution, which recorded 5% of the bookings for the quarter. We also highlighted Patch Management and Cybersecurity Asset Management, which have been our focus over the past few years, and we’re pleased with the progress we've made there. However, we are shifting our attention towards the Risk Operations Center and ETM solution. Our goal is to elevate customers from VMDR to ETM solutions, similar to our transition from VM to VMDR a few years ago. We have a solid base of vulnerability management customers to upsell and cross-sell ETM to, which already includes Cybersecurity Asset Management. The next step will be upselling them to the Eliminate solution to rectify issues effectively. Customer discussions about the Risk Operations Center have been very positive. One key differentiator for us has been our focus on risk management rather than just providing technical scores, as emphasized during our ROCon Conference in Houston, where we introduced a business track for cybersecurity featuring sessions with CFOs, Board members, and insurance companies. This initiative led to a 20% increase in attendance, as attendees sought to understand the business implications better. Conversations about our Risk Operations Center and ETM solution reveal that customers appreciate our approach, which goes beyond just offering dashboards; we address issues quickly and provide AI-driven insights regarding industry-specific risks, such as potential ransomware impacts and financial implications of vulnerabilities. The feedback has been very encouraging, and we’re excited about these developments. Moving into next year, we are concentrating on ETM and have made internal promotions to align with our go-to-market strategy, collaborating closely with our product management and CISO, Jonathan, who is supporting our efforts in risk operations solutions to effectively enhance our focus on ETM and the potential for upselling. As referenced in the Q1 earnings call, we will prioritize this opportunity moving forward. Additionally, we recognize the presence of various CNAPP solutions in the market; however, what stands out for customers regarding our CNAPP solution is its ability to integrate cloud risk into the overall business risk. Other CNAPP solutions might indicate the number of open public buckets, but they often fail to provide the financial impact of a potential breach. Our cloud security solution is uniquely integrated from a risk standpoint to offer business quantification, which is what we’re hearing from our customers. Looking ahead to next year, our primary focus will be on ETM as a core area for cross-selling to our customers. We will maintain ongoing investments in the federal market and continue innovating with our Eliminate capabilities. All these efforts will be supported by our initiatives with mROC partners, which we anticipate will significantly enhance our business scaling by 2026.

Our next question is from Joseph Gallo of Jefferies.

This is Garrett Burkam on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

I believe the first part of the question is that we are definitely seeing customers interested in investing in proactive risk management solutions. The Risk Operations Center, which includes exposure management and business quantification, is a key focus based on the feedback we’re receiving from customers. This has been a central theme in all our conversations this year. Many customers view the Risk Operations Center and the Security Operations Center as working closely together due to the current fatigue in the SOC caused by excessive alerts. There is a sentiment that improving prevention initially can decrease the number of alerts and alleviate some of that fatigue. Customers are exploring how to balance their cybersecurity budgets, but while I don’t have specific figures at the moment, we'll see how this evolves next year. There’s an emphasis on striking a balance between proactive risk management and reactive measures taken after a potential breach, and historically, both elements have been necessary. If customers fail to accurately prioritize what needs to be addressed, they risk wasting their IT teams' resources on issues that don’t significantly impact their operations, ultimately leading to more alerts in the SOC. Therefore, discussions around the Risk Operations Center and exposure management are increasingly relevant. Customers are increasingly interested in evaluating how much to invest in proactive risk management relative to the actual business risk they face. As I mentioned in my keynote, we are transitioning within ROCon from focusing solely on attack surface management to managing risk surfaces. You can overspend on covering your attack surface while the risk of loss remains low, which isn’t a sound business decision. This is the feedback we’re receiving and observing from our customers regarding billings. Would you like to add anything, Joo Mi?

I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Our next question is from Rudy Kessinger of D.A. Davidson.

Just a clarification on that last question, Joo Mi. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year? Or can you just clarify that, please?

Yes. So right now, I mean, billing has the tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4 given the tough compare to one year ago. In terms of next year, it's a little bit too early to tell in terms of 2026 what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Got it. Okay. You have had solid results in the last few quarters, with growth remaining steady at 10% over the past four quarters, and NRR holding steady at 104%. What would you need to see to feel confident in declaring that you can achieve stable growth of over 10% in the next couple of years?

We are definitely working towards that. The key areas for growth that we see right now include converting our VM customer base to VMDR customers and focusing on upselling with Eliminate. There is a strong interest in our cloud security solution, and we are having productive discussions with the Risk Operations Center regarding long-term federal opportunities. These are the areas we are targeting for short-term, medium-term, and long-term growth, all supported by our focus on mROC partnerships. Next year, we are particularly concentrated on converting VMDR to ETM and pursuing upsells with Eliminate.

Our next question is from Yun Kim of Loop Capital Markets.

Congrats on a solid quarter. Sumedh, on the Enterprise TruRisk Management, ETM, is that primarily a big deal sales motion? Or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time? Just want to get a better understanding of that 100% plus uplift commentary.

Yes, we feel confident based on the early feedback from customers that we can maintain all of the VMDR as we introduce AI capabilities, specifically Agentic AI features and a built-in marketplace. This allows customers to utilize an AI agent for a period of weeks while they focus on audits or address ransomware-related vulnerabilities. CSAM is included in this offering, as is the ability to test exploits. We believe this will be beneficial for our customers, particularly with VMDR and CSAM, along with the new features I've mentioned. We also spoke about Q-Flex, which we anticipate will align well as we scale next year. Many customers interested in ETM will also likely be interested in our Eliminate platform and cloud services. Q-Flex provides a mechanism for them to try out various Qualys modules that fit their needs without needing to engage in multiple purchase cycles throughout the year. Therefore, combining Q-Flex pricing with ETM cross-sells will be a key area of focus for us as we move into next year.

I'm looking forward to the adoption of ETM next year, as it seems like it will have a significant impact. Sumedh, you haven't made any acquisitions recently or anything substantial. Can you provide an update on your acquisition strategy? Your performance has been strong and the overall business is stable. With ETM launching next year and your pride in your organically growing platform, it seems there might be a strategic opportunity to expand your offerings more quickly. Are you considering any acquisitions given the dynamic changes in the market?

We are always open to exploring various opportunities, including small and larger acquisitions. Our primary focus is to provide our customers with an organic experience on our platform. In the past, we've successfully made tuck-in acquisitions when they aligned with our platform. However, our current strategy is to enhance the asset count that customers have with Qualys by integrating data from other tools, which may reduce the need for them to purchase specific capabilities from us. For instance, with our ISPM identity solution as part of ETM, we can utilize identities from services like Okta and AD without requiring customers to acquire a security company for AD. This approach increases the asset count within Qualys. The market dynamics are constantly evolving, and we are witnessing efficiencies from AI. We continue to monitor various players in the industry and stay focused on our roadmap for an organic customer experience while remaining open to the possibility of smaller or larger acquisitions as opportunities arise.

Thank you. This now concludes the question-and-answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect. Goodbye.