Qualys, Inc. Q4 FY2025 Earnings Call

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Fourth Quarter 2025 Investor Call. Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.

Thank you, Michelle, and good afternoon, and welcome to Qualys' Fourth Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, President and CEO; and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial and operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thank you, Blair, and welcome to our fourth quarter earnings call. As threat actors continue to compress time-to-exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification, automated remediation to respond to the speed of these threats. Against that backdrop, we continued to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability. In my conversations with hundreds of CIOs and CISOs as well as security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CISOs are increasingly prioritizing the unification of fragmented security stacks into a centralized risk fabric, one that serves as a credible alternative to single-vendor platforms by bringing diverse risk vectors into a prioritized, measurable view of risk that their teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded ROCon conference in Mumbai, with attendance up over 30% from last year's event as we again broadened the agenda to include a business track. And with the element of AI, which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is only intensifying. As a result, we believe that the future of pre-breach risk management belongs to vendor-agnostic agentic AI-powered solutions that continuously predict, assess, confirm, quantify, prioritize and remediate risks across on-prem and multi-cloud environments. Over the past year, we continued to execute relentlessly towards this vision, delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently and stay ahead of an increasingly dynamic landscape. Accordingly, in 2025, we broadly expanded the Qualys ETM platform to third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings, applies our industry-leading threat intelligence and delivers a business-contextual quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an agentic AI risk fabric that assesses and normalizes diverse internal and external data sources, applications, and machines. We extended these capabilities with the first-of-a-kind agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy and reduce costs. To further close security gaps, we again organically enhanced ETM with a natively integrated Identity Security Posture Management solution at a time when identities have become part of the new AI perimeter. And further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional Continuous Threat Exposure Management solutions rely on a theoretical risk score and ignore mitigating security controls, ETM takes a fundamentally different approach. On a single platform, it uniquely detects vulnerabilities, validates exploitability, applies remediation and revalidates exploit using Agent Val, agentic AI workflow. The net result is that Qualys is redefining how organizations manage pre-breach risk management. While competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, Qualys has moved decisively beyond that model. We are pioneering the first agentic AI-native Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the ROC represents a fundamental diversion from traditional CTEM tools. Competitors can point to exposures. They can't quantify cyber risk in dollar terms that matter most to the business, and they cannot adequately fix them. ETM fills that gap. This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, exploit confirmation, risk quantification and remediation operations into a single AI-powered workflow, leveraging both Qualys and non-Qualys data sources. In doing so, our architecture orchestrates and implements a perception-reasoning-action loop, enabling autonomous agents to collect real-time telemetry, reason through risk signals, plan response workflows and execute actions. This enables organizations to holistically predict emerging risks across infrastructure, cloud, application security, IoT and identities, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls and verify the effectiveness of the remediated tactic. This end-to-end vendor-neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, where customers aren't just seeing their risk holistically across the risk stack. They're validating it, quantifying it and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption through our VMDR customer base and positioning Qualys for larger upsell opportunities over time. Moving to our business update. With customers spending $50,000 or more with us growing 4% from a year ago to 215, let me now share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify the security stack, quantify and remediate risk in their environment and fortify their security operations. First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively. Consequently, this customer selected Qualys and launched a strategic initiative to unify their security stack by transforming siloed risk signals spanning on-prem and multi-cloud environments into a cohesive, agentic AI-native risk management solution. This included expanding the ETM deployment to further operationalize the ROC with ingested third-party data from several sources, resulting in a mid-6-figure annual bookings upsell. By consolidating these data services into the Qualys platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface, centralized risk assessment, quantification, prioritization and remediation workflows while unleashing the operational efficiency of the stack consolidation. This expansion of their ROC underscores the power of our platform and reinforces Qualys' ability to unify siloed risk signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance, and advance our leadership in the industry. Leveraging our mROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETM POC with a global 200 company in Latin America, we secured a 7-figure annual bookings upsell, which included our TotalCloud CNAPP and Policy Audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful, multi-solution growth. Turning to our Federal business. We achieved a mid-6-figure expansion with one of the federal government's most visible shared security services utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues that limited resources to continuously assess risk across augmented tools and manual workflows, this customer chose Qualys for its cloud-native FedRAMP High Authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard outputs and low operational overhead. Given the success of this deployment, we are now working towards a multi-agency ETM rollout representing a significant upsell opportunity as this shared services team prepares to operationalize its Risk Operation Center. These results alongside another 6-figure upsell with a separate large federal agency reinforce our proven ability to align technical capabilities with operational outcomes that address modern security challenges and underscore the long-term growth opportunity in our Federal business. Beyond these wins, we are also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increased again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified mROC partners actively launching new services, momentum continues to build towards a global ROC alliance, fueling our capability, harnessing transformative solution sales and bringing new business to Qualys. Further contributing to our growth profile, in Q4, we continued beta testing QFlex to help customers accelerate and maximize adoption of the Qualys ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFlex to enable select customers and partners to accelerate their adoption of Qualys solutions in 2026. In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by unifying CTEM with exploit confirmation, risk quantification and automated remediation powered by an agentic AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution and initial QFlex success. Looking ahead to 2026, we'll continue our disruptive innovation, further advance our go-to-market investments and execute our ROC vision with a balanced approach to long-term growth and profitability.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47%, even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. And free cash flow reached $304.4 million, or 45% of revenues, all of which exceeded our expectations for the year. Turning to fourth quarter results. Revenues grew 10% to $175.3 million. The channel continued to increase its contribution, making up 51% of total revenues compared to 48% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 56% and 44%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year with a low to mid-single-digit growth in security spend persisting for the foreseeable future. Reflecting this sentiment, our gross dollar retention rate remained comfortably above 90%. We saw a modest sequential decline in Q4, with our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth with all three of the following increasing contribution to bookings in 2025. First, Cybersecurity Asset Management, combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9%, respectively. Next, Patch Management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16%, respectively. Lastly, TotalCloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet. Turning to profitability. Adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 increased by 11% to $68.9 million, driven by investments in sales and marketing, which grew 18%. With this strong performance, EPS for the fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter, we had $160.5 million remaining in our share repurchase program. We are pleased to announce that our Board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $360.5 million. With that, let us turn to guidance, starting with revenues. For the full year 2026, we expect revenue to be in the range of $717 million to $725 million, which represents a growth rate of 7% to 8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 million to $174.5 million, representing a growth rate of 8% to 9%. This guidance assumes no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026. Shifting to profitability guidance. For the full year 2026, we expect EBITDA margin to be in the mid-40s, implying mid-teens increase in operating expenses, and free cash flow margin in the low 40s. We expect full year EPS to be in the range of $7.17 to $7.45. For the first quarter of 2026, we expect EPS to be in the range of $1.76 to $1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8 million to $12 million, and for the first quarter of 2026 in the range of $1.2 million to $2.6 million. In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

And the first question comes from Jonathan Ho with William Blair.

Congratulations on the strong quarter. Can you talk a little bit more about some of your QFlex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

Yes. Thank you very much. And that's a great question. We've talked about this last quarter as well. I think if you take that in relation to what we are doing with the Risk Operations Center and ETM and how we're differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerabilities to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score, we're leveraging the ability to use agentic AI to confirm those exploits with the environment, which is very differentiated from what everybody does. But then after that, actually, the ability to also remediate those. And so being able to get this end-to-end very quickly, very fast before attackers are leveraging AI to do the same for your environment, the QFlex proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation but then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed. And so what we're excited about is our conversations initially with the customers that have adopted this have been very positive in the fact that the security environment is not a static environment at the beginning of the year. It is continuously changing throughout the year. And the flexibility that, that pricing model offers them to actually be able to leverage different Qualys capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.

Got it. Got it. And then just in terms of some of your comments around AI, I mean, clearly, you're seeing a lot of customer interest here. Can you maybe help us understand like where the customer is in terms of their AI journey? And also help us understand what that opportunity looks like for Qualys. So if you start selling more of these agentic products, AI sort of native products, how do we think about how that can impact sort of net retention going forward?

Sure. Many people discuss how AI is integrated into their platforms. Our unique approach lies in launching an AI agent marketplace within our platform, enabling customers to enhance their workforce and security teams. We've long highlighted the shortage of talent in the security industry. With this, customers can access agents like Sara, who specializes in patches, and Val, who possesses skills to autonomously make decisions on exploitation remediation. This allows customers to employ a specific agent to accomplish tasks that would otherwise require weeks or months of hiring consultants. Our agentic AI capabilities are embedded throughout the platform, making these agents feel like integral team members who can assist in achieving desired outcomes. We've structured this so that customers using VMDR receive a high-quality list of findings. When they cross-sell into ETM, they gain the ability to prioritize vulnerabilities and access agentic AI features, enabling them to complete various tasks. As customers consider their workforce needs within the agentic AI context, these capabilities help them achieve results swiftly. Additionally, through our TotalAI offering, we assist customers in identifying and addressing vulnerabilities and misconfigurations in their AI workloads. We anticipate that customers will bring more data related to their AI solutions into Qualys ETM. We view agentic AI capabilities as a key differentiator encouraging customers to transition or explore ETM, while also outperforming other exposure management solutions that merely provide scores. This will facilitate quicker patching processes, and we believe this distinction can drive customers to choose ETM over other existing solutions.

Congrats on the quarter. You answered some of this in the prior response, but would just love to hear more about how Agent Val is elevating ETM from an efficacy perspective. And just how Agent Val is reducing total net hours at the customer level and how that's resonating with customers?

Thank you, Kingsley. I wish we had more time to discuss this because it's a topic I could elaborate on for much longer. Historically, when Kenna was introduced, everyone was providing theoretical scores based on vulnerability findings and CVE information. However, a theoretical score doesn't reflect the reality that a high score doesn't mean a customer doesn't have other controls in place that could prevent a particular exploit from functioning in their environment. They might have firewalls or memory protection that standard scanners or exposure management solutions won't recognize. What Agent Val does is utilize an autonomous decision-making process to evaluate the findings and scores while also performing a safe exploit test on the asset to verify if the vulnerability can actually be exploited within a customer's setup. This goes beyond just relying on theoretical scores. Typically, when security teams provide these scores to IT teams, a lot of time is wasted as they try to investigate these findings only to realize they are false positives due to existing controls. Customers want to optimize their IT teams' time by avoiding fixes for vulnerabilities that are not actually exploitable in their environments. By safely confirming whether an exploit is viable, IT teams can save significant time and gain clarity. They can confirm that a vulnerability is highly exploitable but can be managed due to existing protections, or that it is indeed a major risk without protection in place. This allows them to prioritize their actions rather than just chasing scores, which makes their process safer and more efficient. This agentic AI workflow enables customers to significantly decrease the number of findings. Once an exploit is confirmed, there’s no time to create tickets for manual remediation. They want to use another agent to trigger automated fixes immediately upon confirmation that a vulnerability is exploitable. This not only provides reassurance that the risk is real and not just a theoretical concern, but it also reduces the time exposure is left open by streamlining the process of exploiting and remedying vulnerabilities. Companies need to leverage automation and autonomous decision-making for effective problem-solving, which sets us apart from other solutions out there.

For Joo Mi, it's been a remarkable year for Qualys. You guided to 7% at the midpoint. Entering last year, and you put up 10% and now you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year? Yes. 2025 was a solid year. From an execution standpoint, it was a very exciting year for us with ETM having gone live at the end of 2024. We've had a significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so, by doing that and working through our partners, what we were able to do is finalize our pricing and packaging for ETM and identify our key products that are going to be levers for growth in the short term and long-term going forward as well. So 2025, a solid year, closing the year with another 10% growth for revenue, which we're really pleased about. Now when it comes to current billings, it came in line with our expectations from last quarter with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billings. So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro and in the spending environment. With that said, we do anticipate significant upside. Given what Sumedh just covered, we have very exciting product discussions with existing customers as well as prospects. I think that we've gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook. But with that said, the baseline still remains to be around 7% to 8%. Our guidance assumes no significant change in the net dollar expansion rate. Historically, this rate has fluctuated up or down each quarter over the past few years. Currently, as we begin the year with an expectation to finish 2025 at 103, we do not foresee a substantial change in that rate.

I think it's still very early. As we mentioned at the end of last year, we started with proof of concepts, and we are very encouraged by what we are seeing with them and the conversions we are achieving. However, we are still in the early stages, as we are dealing with customers who are early adopters. While this is promising, we do not have enough data to accurately project a confirmed trajectory. As we improve our execution in the first couple of quarters, we will gain a better understanding. This is where, as Joo Mi has previously mentioned, we will begin to provide guidance on how ETM is performing, starting with the Q1 earnings call for 2026. This will enable you to track our progress from the beginning and see how we plan to grow over the next few years in this significant opportunity we have identified.

Joo Mi, I think you said in response to Jonathan's questions earlier. I think you said baseline remains around 7% to 8%. I'm not sure if you're referring to the revenue guide for this year or if that was also your expectation for roughly what we should expect for current calculated billings for the year.

I would say that we don't give specific guidance for current billings, but our expectation is that current billings growth rate will be more or less in line with the revenue growth rate. So 7% to 8% for both for the full year 2026.

Yes, all of this needs to go right. We've done a lot of innovation and our products are finally being released, which is fantastic. The Agent Val will be particularly interesting for us, as will the recent identity solution. A crucial aspect of our strategy has been collaborating with partners. For instance, we are currently focusing on certifying more mROC partners, ensuring they are trained and ready to develop their offerings around the Risk Operations Center. The goal is for these partners to bring us new business and upsell opportunities since they can offer a risk management service with mROC on top of their existing VM solutions. They can integrate data into Qualys and ETM and charge customers for managing and consolidating their various risk factors. We look forward to seeing how this develops as we work on getting the partners up to speed. As they begin to present these offerings to their customers, we will gauge how well they resonate. Initial discussions have been very promising, and we are beginning to see some business coming in from these partners. QFlex has positively impacted customers transitioning from VMDR to ETM, allowing them to experience a certain level of growth and at a manageable pace for adopting a Risk Operations Center. Additionally, we received our FedRAMP High certification at the end of last year, opening up more conversations for the 2026 budget cycle for federal agencies that weren't possible in time for 2025. The discussions following our FedRAMP High certification for 2026 and 2027 look promising as potential upside. As Joo Mi has indicated, we are enthusiastic about these developments that could lead to better outcomes for us.

And our next question will come from Matthew Hedberg with RBC Capital.

This is Mike Richards on for Matt. Keeping a little high level here, Anthropic's new model release today put an emphasis on cybersecurity and specifically, the model's performance for vulnerability discovery and patching. So I was just wondering, if you could talk about what you believe these developments mean for Qualys and maybe the cybersecurity industry more broadly as model providers look to potentially go deeper into cybersecurity.

Yes, that's a great question. I believe today's announcement highlighted the understanding that autonomous AI is enhancing the coding process. Attackers are already leveraging AI to uncover vulnerabilities in software code. While it's one thing to identify a vulnerability in open-source code, as Anthropic is assisting with, the real challenge lies in locating all the machines running that software across a customer's environment, both internally and externally. After identifying a vulnerability, it's crucial to test whether it can be exploited in each customer's unique environment and on their specific machines. That's where Anthropic's development truly helps. It emphasizes the importance of using an agentic AI solution to quickly validate vulnerabilities in your environment and autonomously apply fixes. Since attackers are also using AI to find these vulnerabilities, they will attempt to exploit them quickly. We believe that our ETM and Agent Val empower customers to bridge the gap between discovering a vulnerability and its exploitation. We can leverage ETM with Agent Val to identify issues in specific environments and machines, enabling prompt protection through patching. This differentiates us in the market. It's also a powerful reminder of what AI can provide to attackers in terms of finding issues in open-source code, which further highlights the value of the ETM platform for real-time vulnerability identification rather than just codebase analysis, as Anthropic is currently doing.

This is Joe Vandrick speaking on behalf of Patrick Colville. Can you help us understand the strategy you're using to encourage customers to adopt not just vulnerability management but also prioritization and Patch Management? Additionally, can you provide insight into what percentage of the customer base is using just the basic functionality of vulnerability management?

Yes, that’s a great question. If you look at our efforts in Patch Management, we’re pleased to see the adoption of both Patch Management and Cybersecurity Asset Management. These enhancements significantly improve the basic vulnerability detection of VMDR, particularly in managing and addressing the array of CVEs effectively. We’re excited about this progress. Today, we provide customers insights such as average exposure windows and detailed analyses of how specific vulnerabilities affect their environments. For instance, typical threat exposure management solutions might assign a risk score, indicating which assets need attention based on that score. However, if you consider the value of the assets, you might find that an asset with a risk score of 900 is on a machine generating $2 million a year, while one with a score of 750 is tied to a machine generating $500 million a year. This shifts the prioritization, as the potential loss from the lower-risk asset is far greater. Once customers understand the financial impact of these vulnerabilities, their focus quickly shifts to immediate protection against potential losses. This is where our integrated patching and mitigation solutions prove invaluable; they help customers act swiftly to close vulnerabilities before attackers can exploit them. The increase in Patch Management adoption—140 million patches in a year—reflects this urgency. We not only enhance visibility for our customers but also empower them to resolve issues effectively. Our partners appreciate the chance to offer more than visibility; they can also help clients achieve tangible risk reductions. We look forward to innovating further in exploit validation, mitigation, and enhancing our Patch Management solutions while raising awareness of our Risk Operations Center. Risks arise from various sources, including the cloud, traditional virtual machines, and identities, all of which we address with our offerings like ISPM and Policy Audit. New threats from AI also necessitate solutions like TotalAI. We are committed to expanding our focus on integrating new assets into our ETM while continually innovating to streamline risk mitigation through automation and agentic AI, which sets us apart in the market.

Yes. Right now, our expectation is that the seasonality remains the same. So same thing as what you saw in 2025. It will be skewed towards the second half of 2026.

Thank you, Junaid, for your question. We've been having discussions with our partners who have invested heavily in EDR, XDR, and post-breach solutions for their Security Operations Centers. Now, there's also interest in agentic AI SOC solutions to further enhance those systems. However, they feel that although they've made investments in pre-breach tools, called SPM tools, like DSPM, SSPM, and CSPM, these tools often just provide multiple dashboards. Customers are becoming fatigued, expressing that these dashboards aren't effectively preventing breaches. While they've established protections on the post-breach side to identify attackers, they see the need to improve how they operationalize their workflows to consolidate findings from various tools. Some tools, like code scanners, tend to generate many false positives. Conversations are shifting positively toward allocating more budget in the coming years for this purpose. We are witnessing early adoption of exposure management, or RBVM, and when we demonstrate ROC, which encompasses more than just exposure management, customers are more willing to adjust their budget accordingly. There's a noticeable shift in focus this year toward proactive risk management. We've accomplished much on the reactive side and now aim to enhance our proactive measures.

This is Joshua Tilton from Wolfe Research. Can you guys hear me?

Yes, Josh.

Awesome. Sumedh, I want to follow up on your response regarding the Anthropic blog post on cybersecurity. I would like to rephrase my question in a simpler way. Is it correct to think that much of the functionality mentioned by Anthropic pertains to application security testing and the discovery of vulnerabilities prior to using a traditional VM tool? I’m not an expert, so if I'm misunderstanding this, please let me know. But is that the right way to look at it?

Yes. Currently, a significant part of their attention is on analyzing open-source code by examining the codebase and reviewing commit logs to identify vulnerabilities within that specific code. This codebase is then compiled into applications or software that operate across millions of machines in various customer environments, each behind different firewalls. Generally, Qualys's focus is on how to quickly assess vulnerabilities once they are discovered or exploited by attackers, rather than concentrating on the application code discovery stage, which is where many AI agents are currently directing their efforts.

Thank you. This does conclude today's question-and-answer session, and this also concludes today's conference call. Thank you so much for participating, and you may now disconnect.