Skip to main content

Earnings Call

Qualys, Inc. (QLYS)

Earnings Call 2026-03-31 For: 2026-03-31
Added on May 11, 2026

Earnings Call Transcript - QLYS Q1 FY2026

Operator

Ladies and gentlemen, thank you for standing by. Welcome to Qualys First Quarter 2026 Investor Call. At this time, all participants are on the listen-only mode. After the speaker's presentation, there will be a question and answer session. To ask a question during the session, you would need to press star 11 on your telephone and you will then hear an automated message advised and your hand is raised. And to withdraw your question, please press star 11 again. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King Investor Relations. Please go ahead.

Blair King, Head of Investor Relations

Thanks, Michelle. Good afternoon and welcome to Qualys' first quarter 2026 earnings call. Joining me today to discuss our results are Sumed Dakar, our president and CEO, and Jumi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to product capabilities, future events, or future financial or operating performance. Actual results may materially differ from these statements and factors that could result and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information for future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Samet.

Sumedh Thakar, CEO

Thanks, Blair, and welcome to our first quarter earnings call. I'm pleased to report we delivered another quarter of strong revenue growth and profitability. With the accelerated progress of new frontier models discovering vulnerabilities and writing exploits autonomously, the number of detections is going to go up significantly while the exploit window is going to shrink dramatically. The need for organizations to know their true risk to effectively prioritize and auto-remediate riskiest vulnerabilities in less than a day has never been greater. This is why we innovated with the ETM Enterprise Tourist Management Platform, which implements an AI ROC risk operation center so customers can get their risks remediated instead of relying on dashboard tourism with siloed products that increase their exposure. Given our number one rating in the GigaOM patch management radar with over 150 million patches deployed and over 40 million of these delivered autonomously in the last year, with a Six Sigma accuracy, organizations are turning to Qualys as a trusted solution to help them move from current broken manual remediation processes to high-impact, low-risk, autonomous remediation workflows at scale that go beyond patch management. And that's exactly where we are focused. With exploitable vulnerability volume surging 6.5x and the average time to expect collapsing to under a day as adversaries weaponize vulnerabilities before patches even exist, security teams' focus on theoretical exposure are overwhelmed. Just finding more and more vulnerabilities doesn't equal risk. Real risk is determined by whether an adversary can successfully execute an exploit path in an organization's live environment. That's why I'm pleased to report that our most recent addition to our agenting AI marketplace, AgentVal, is now generally available. Powered by TrueConfirm within our ETM solution, AgentVal delivers closed-loop exploit validation and autonomous remediation directly to the ROG. Using autonomous exploit validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether attackers will succeed in their breach attempts while enabling security and IT teams to focus on the less than 1% of threats actually exploitable in their production environments. In doing so, we have closed the gap between theoretical and actual exposure and set a new adoption standard in the industry. While traditional CTEM solutions take days to pull scan telemetry from scanning tools and rely on theoretical risk scores, ignoring mitigating security controls, ETM, and its agentic AI workforce takes a fundamental different approach. Inside a continuously functioning loop, it detects vulnerabilities, validates exploit, quantifies real risk, automates remediation, and revalidates the exploit. Optimized and integrated with leading LLMs and SLMs, this end-to-end approach empowers organizations to be laser-focused on prioritizing only exploitable threats for the next logical step, which is Autonomous Remediation, Leveraging Agent Sera, and True Risk Eliminate. Underpinning our True Risk Eliminate solution is our new AI-powered patch reliability score, a model trained in our own proprietary data set of hundreds of millions of deployed patches, which predicts patch-induced outages before they happen, giving customers the confidence to deploy with certainty or pause with purpose while setting a new standard for predictive, operationally-aware patch management. With an umbrella of remediation solutions, including patching and other compensating controls, with less than a tenth of a percent rollback rate, the AI-native rock accelerates, streamlines, and democratizes security outcomes while transforming from we think to we know to it's being fixed at machine speed. In the context of the newest frontier AI models giving attackers the ability to soon discover a divulge of zero-day vulnerabilities, generate exploration near real-time, and develop autonomous attack agents unlike anything the industry has seen, the feedback to our get-it-fixed-in-hours approach from many of the CISOs I met at our recent ROCON EMEA event in London has been very positive. They shared their excitement about the rapid pace of new capabilities via delivering their deployment agendas and their ability to now autonomously monitor, measure, and confidently remediate actual risk in multi-vendor environment in an era where just generating visibility dashboards is increasingly unacceptable. Our industry-leading capabilities are gaining broader recognition among our customers, partners, and third-party analysts. Specifically, our Total Cloud solution was recognized as a leader in CNAP in the Q1-2026 Forrester Wave Report and subsequently won the 2026 SE Award for the best cloud security management solution. Both underscore our capabilities in delivering unified visibility with real-time detection and response at runtime across hybrid environments. It was also a position as a leader in a 2026 gigaOM radar report for cloud identity and title management and following our dual Pony Awards late last year, our threat research unit TRU has again demonstrated its impact with the discovery of crack armor, uncovering critical app armor vulnerabilities that can lead to root-level compromise and container escape across millions of Linux systems worldwide. This alongside with our recently released research on the broken physics of remediation further demonstrates Qualys' commitment to fortify security operations and raising the bar on adversaries. The net result is that we have distinctly unified CTEM, exploit validation, cyber risk quantification, and remediation into a single AI-driven risk fabric that continuously censors, alerts, reasons, and acts across hybrid environments. Armed with these capabilities and growing ROC momentum that will soon autonomously trigger ITSM workflows, we remain laser-focused on accelerating ETM adoption throughout our vulnerability management and detection response customer base and positioning Qualys for larger upsell opportunities over time. Turning to our business update, we have established a long history of converting operational challenges into strong competitive advantages demonstrated by customers spending $500,000 or more, growing 9% from a year ago to 2021. That's why one of my favorite wins in Q1 was with an existing global 1,500 customer. Despite strong foundational visibility, the team struggled to operationalize risk reduction across a growing mix of on-prem and multi-cloud environment, siloed tools, fragmented telemetry, a growing population of LLMs, and millions of vulnerabilities with limited business context. This customer recognized that traditional severity-based prioritization methods were no longer sufficient and launched a strategic initiative to unify risk signals across their environment and operationalize the ROC. Leveraging AI for security and security for AI, they expanded the Qualys footprint by adopting ETM and Total AI in a mid-six-figure annual upsell. By consolidating disparate signals into the Qualys platform, this customer now has a unified orchestration layer that delivers end-to-end visibility across their attack surface, including deep scans on their assets across binaries, open source libraries, and dependencies with centralized risk quantification, prioritized remediation workflows, and measurable outcomes aligned with business risk tolerance. This win reflects broader ETA momentum as more and more customers turn to Qualys for evidence-based exploit validation and remediation while benefiting from the efficiency and scale of AI-native rock automation. Partners remain a key pillar for our growth agenda. In addition to a growing list of nearly two dozen certified MROC partners beginning to actively launch new services, we are seeing momentum build across all geographic theaters with a strong focus on AI Native Rock. For example, one of our largest MROC partners is now in the process of bringing a cost-ready AI Native Rock to market, powered by our ETM and automated remediation solutions. Additionally, through our strategic alliances initiatives, we continue to drive deep technology integrations, co-sealing opportunities, and demand generation programs. To drive innovation in security research through the latest frontier models, we have partnered with OpenAI in their Trusted Access for Cyber program and Anthropic in their Cyber Verification program to advance our vulnerability and threat intelligence and allow customers to ingest these findings into ETM for further detection and remediation. On the cyber insurance side, we are also pleased to announce a new strategic partnership with Converge Insurance, leveraging the Qualys ETM solution to help their customers demonstrate strong security hygiene and qualify for meaningful premium reduction, advancing our vision of tying cybersecurity to business outcome for CISOs. Further supporting our growth trajectory in Q1, we continue to expand beta testing of QFlex, designed to help customers accelerate and broaden their adoption of the Qualys and ETM platform. Based on strong early engagement and positive feedback we plan to build on this momentum by proactively identifying opportunities to extend KubeFlex to select customers and partners with a go live date planned for later this And finally, as the federal government seeks to garnish greater efficiency and replace outdated and costly on-prem deployments from years past with modern cloud-native risk management solutions, we are especially excited to host our third annual federal conference in Washington, D.C. towards the end of this month. We have made good progress growing our federal business and advancing our FedRAMP high status with large federal agencies, and we continue to believe this market will fuel a new leg of growth for the company over time. In summary, we are pioneering a new category in pre-breach risk management by bringing autonomous exploit validation, risk quantification, and zero-day remediation together within a single AI-driven risk fabric that redefines how enterprises operationalize cyber risk. Complementing frontier model discovered vulnerabilities, our platform leverages proprietary domain data, real-time telemetry, and deep operational context using sensors and agents behind the firewalls to continuously discover assets, validate exposures, quantify risk, remediate threats, and enforce company-specific policies which are unavailable in the public domain. This is driven by over two decades of processing petabytes of structured telemetry combined industry-leading threat intelligence in a closed-loop system that compounds across thousands of customer environment every day. Frontier models are powerful in accelerated back-path analysis and triage. However, they need to be paired with a highly reliable control plane to consistently enforce accurate policy and compliance outcomes across live hybrid environments. This is where the unique value proposition for Wallace customers lives, and it requires deterministic, auditable, repeatable, and trusted execution with effectively zero tolerance for error. With attacks moving at machine speed and increasingly requiring defenses that learn and respond in real-time, closed-loop agent-to-agent orchestration governed by policy and harnessed by flexible model choice act as a force multiplier, further enabling precise risk quantification, safe remediation, and even faster and more deterministic outcomes at scale. For QALIS, this means our massive data context, LLM and SLM integration, and trusted execution serve as the system of record for pre-breach cyber risk management and translate AI into a packaged ROC automation platform that delivers customers measurable risk reduction, zero-day remediation, governed outcomes, and immediate ROI. With that, I will turn the call over to Jumi to further discuss our first quarter results and outlook for the second quarter and full year 2026.

Joo Mi Kim, CFO

Thanks, Ned, and good afternoon. Before I start, I'd like to note that except for revenue, revenues, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless dated otherwise. Turning to first quarter results, revenues grew 10% to $175.6 million. The channel continued to increase its contribution, making up 52% of total revenues, compared to 49% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 3%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By GEO, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 55% and 45% respectively. In Q1, as expected, there was no meaningful movement in our net dollar expansion rate, closing the quarter at 104%, slightly up from 103% last quarter. More importantly, we'd like to turn to a new metric that we plan to disclose going forward on a quarterly basis, net dollar expansion rate of customers with prior year purchase of ETM or CSAM subscriptions. We believe that this metric is currently the best indicator of success of our ETM strategic initiatives. With ETM innovation having stemmed from strong customer demand, we anticipate ETM adoption to drive higher net dollar expansion rates. However, given that ETM adoption is still in its early stages, we have decided to include CSAM customers in this cohort so that the metric has more weight to it. In addition, as a reminder, ETM is essentially an upgrade from CSAM, so we believe that this is an appropriate baseline to track and measure going forward. In Q1, the net dollar expansion rate of ETM CSAM cohort was 107%. As more customers move into this cohort, we hope to see consistent and meaningful improvement to our overall net dollar expansion rate and thereby driving accelerated revenue growth. Moving on to product mix, our differentiated new products continue to drive growth. First, ETM system combined made up 11% of total bookings and 14% of new bookings on an LTM basis in Q1, up from last year's 8% and 9% respectively. Next, patch management made up 8% of total bookings and 15% of new bookings on an LTM basis in Q1. This compares to 7% and 16% respectively in Q1 of last year. Lastly, TotalCloud made up 5% of total LTM bookings in Q1, unchanged from a year ago. We believe that these differentiated products combined will increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallets. Reflecting our scalable and sustainable business model, adjusted EBITDA for the first quarter of 2026 was $83.3 million, representing a 47% margin, same as last year. Operating expenses in Q1 increased by 8% to $67.5 million, driven by investments in sales and marketing, which grew 17%. With this strong performance, EPS for the first quarter of 2026 was $1.95 for dilute a share, and our free cash flow was $93.6 million, representing a 53% margin compared to 67% in the prior year. In Q1, we continue to invest the cash we generated from operations back into QALYS, including $1.7 million on capital expenditures and $53.9 million to repurchase $505,000 of our outstanding share. Since commencing our share repurchase program in February of 2018, we've repurchased 11.2 million shares and returned $1.3 billion in cash to shareholders. As of the end of the quarter, we had $306.6 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenue. For the full year 2026, we now expect revenues to be in the range of $721 to $727 million, which represents a growth rate of 8 to 9 percent. This compares to prior guidance of 717 to 725 million. For the second quarter of 2026, we expect revenues to be in the range of 177.5 to 179.5 million, representing a growth rate of 8 to 9 percent. While we believe our approach to pre-breach cyber risk management provides some insulation amidst ongoing macro volatility, this guidance continues to assume no material change in our net dollar expansion rate, with moderate growth contribution for new business in 2026. Shifting to profitability guidance, for the full year 2026, we expect EBITDA margin to be in the mid-40s, implying mid-teams increase in operating expenses and free cash flow margin in the low 40s. We expect full year EPS to be in the range of 7.44 to 7.65, up from the prior range of 7.17 to 7.45. For the second quarter of 2026, we expect EPS to be in the range of 1.73 to 1.80. Our planned capital expenditures in 2026 are expected to be in the range of $8 to $12 million, and for the second quarter of 2026, in the range of $1.2 to $3.2 million. As the impact of the macro economy is still unfolding, we are closely monitoring the business environment and adjusting our priorities accordingly. That said, considering the long-term growth opportunities ahead of us and our industry-leading margins implying further room for investment, we intend to continue to responsibly align our product and marketing investments to focus on high-impact initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and GNA. With that, Samad and I would be happy to answer any of your questions.

Operator

Thank you. As a reminder, to ask a question, please press star 11 on your telephone and wait for your name to be announced. To withdraw your question, please press star 11 again. The first question will come from Patrick Colville with Scotiabank. Your line is open.

Patrick Colville, Analyst — Scotiabank

Thank you very much for taking my question. Sumed and Jimmy, in your prepared remarks, I mean, I think you did a really good job of conveying why risk quantification, I guess, testing whether an asset is exploitable with a runtime context, the ability to kind of patch and revalidate all make qualis at low risk of ai disruption in the enterprise but what i want to ask though is there's a lot of hype around anthropic clawed mythos open ai gpt 5.4 cyber are they leading to more inbounds and if so like how will those inbounds and that kind of surge of interest translate into the financial model in 2026?

Sumedh Thakar, CEO

Yeah, that's a great question. And I think our customers who are in this day in and day out, they understand pretty well that this is going to lead to more disclosures of patches and vulnerabilities from multiple vendors that they use. And I think the challenge is going to be more about – on the positive side, I think these models are helping companies get better with finding these vulnerabilities themselves versus waiting for attackers to find them. But it also means that they're going to lead to more patches being announced by multiple vendors that the customers will have to deploy. And I think the challenge is going to be more that once the patches come out, attackers leveraging AI can reverse engineer those patches and find the exploits. And so it really becomes a game of how quickly can you apply the patch that the vendor is giving in a matter of hours and not wait for days and weeks as it happens right now. And that's where a lot of the conversations that we have had with our customers, we're seeing a lot of CISOs and customers reaching out to understand how our patch management capability and remediation capability and exploit validation capability is really going to be helpful for them because they all need to provide an update to their board in terms of how they are going to fight against the AI-induced attacks that are coming from these models getting better, and the response cannot be we are going to do more manual remediation. They need to have a response that anchors themselves in fighting autonomous AI attacks with autonomous remediation, and they see us as a trusted vendor having deployed 150 million patches already and 40 million of those already fully autonomously deployed. And so a lot of those conversations are positive right now, but of course it's in the early stage and we need to work through to see how they take out the conversations, how they go back to their boards, to their IT teams, partner with the IT teams. So happy with the activity, but a little too early right now to talk about how the impact is going to be on the pipeline and outlook. As Jumi said, we're not considering any change from where we are right now in terms of the guidance, but we are happy to see the engagement that we're seeing from the inbounds that we're getting from customers trying to understand how best they can respond to this.

Patrick Colville, Analyst — Scotiabank

Very clear. Can I just touch on that point? Jumi, you very kindly last quarter provided us a soft guidance for 7% to 8% current billings growth in 2026. Is the point you're trying to make in the prepared remarks that remains the case? So no change to that level, even with the, you know, strong 1Q performance and, you know, I guess the positive vibes that Sumed were just talking to.

Joo Mi Kim, CFO

Yes, that's correct. I think that if you take a look at our Q1 performance, it was a solid start to the year. We're very pleased with the Q1 outlook as well as what we anticipate for the rest of the year. However, we don't see any material kind of meaningful change for the full year today. So given that, the baseline still remains at 7% to 8% for the current billings for the full year.

Patrick Colville, Analyst — Scotiabank

All right. Thank you so much.

Operator

Thank you. And our next question will come from Roger Boyd with UBS. Your line's open.

Roger Boyd, Analyst — UBS

Great. Thanks for taking my questions. Sumed, it was a strong quarter from a new customer ad perspective and particularly for 1Q, which is typically a season a little bit lower. Can you just talk about what's working right from a new logo perspective and then everything you just kind of mentioned from a patch management remediation standpoint, to what degree is that sort of impacting the new customer conversation? Any metrics you can give around attach rate of patch management or true risk eliminate would be great. Thanks.

Sumedh Thakar, CEO

Yeah, great question. And I think, you know, we kind of talked about right now where we are with patch management, sort of 8% of LTM overall bookings and 15% of new bookings, right? And I think definitely good execution by the team. Focused execution is key there. If you can recall what we talked about at RSA and a little bit before that, our focus on agentic AI agents as we went into last year. I mean, if you look at today, what everybody's talking about is how can we very quickly, autonomously remediate things, and this is not by accident that we are here right now. We have been delivering capabilities around patching, going beyond patching, the exploit validation, and those messages have been resonating with customers. And so I think this is leading to better conversations with customers as they look at, we're encouraged with the conversations we are having around ETM. I mean, the thing is, look, at the end of the day, risk measurement and risk management is going to be critical because if the number of patches that you have to deploy explodes, you just, as a company, cannot just deploy all the patches. And so anchoring it back to risk is very important. So eliminating the right risk and the minimum amount of risk is important. And to be able to get there so you're not patching and fixing everything, creating more risk from an outage, ETM then becomes very important because ETM is the one that does the hyperprioritization. And for ETM to be successful, you need high-quality detection capabilities. I think one of the concerns that customers have brought up after these models have come out has been the question of false negatives, right? If you are using Tier 2 scanners, the time it takes to get signatures out and find the findings versus a scanner like Qualys where we are getting signatures out multiple times a day, we are adding capabilities to detect things to reduce the false negatives is becoming very important. And I think that those conversations are culminating in positive conversations for ETM, which is still early. And ETM and eliminate conversations typically, they do go hand in hand many times. And so I think while it's still early for ETM, we are encouraged by the conversations that we are having at this point. And so, again, we have to work to continue the execution. We're happy with how Q1 went, but we're going to continue to work on executing with the opportunity that's in front of us. And like we said, our partners are working with us closely and we look forward to continuing our partners bringing us additional sort of new logos and working with our existing customers with the MROC services, which can get more value for existing customers through our partners to make sure that our upsell also continues to take up.

Roger Boyd, Analyst — UBS

That's really helpful. And then maybe just a quick one for Jumi. On QFlex, you talked about kind of building out this pipeline and identifying a customer pipeline to extend that procurement model too. Can you just talk about kind of the customers that you see as a good fit for QFlex and any thoughts on when that kind of push could start this year?

Joo Mi Kim, CFO

Yeah, so mostly QFlex is targeted towards our enterprise customers who need that flexibility to potentially cover the forecast that they have anticipated for the full year. So as an example, what they're looking for is given that we continuously enhance our products and come out with newer products throughout the year, they want the comfort of having to pre-purchase or pre-commit to a higher amount that they might necessarily think that is absolutely needed for the year. So we've been talking with our select group of customers that have the budget, that are willing to pre-commit to a higher credit with Qualys with the ability to swap out different products and offerings and try out newer solutions throughout the year. We're pleased with the momentum that we have today, and we do plan to go GA with QFlex later this year.

Sumedh Thakar, CEO

And I would quickly add to that this is right now with what is happening is a good example of where a QFlex model will be helpful for a customer because we didn't have exploit validation earlier last year, but now that we have that and we have a mythos driving more focus on patching, QFlex customers through the year will have more flexibility in being able to use those credits to suddenly pivot towards patching more because there is a particular event that has come up and not have to sort of keep going back from a procurement perspective. So like Jumi said, exciting early conversations with these large customers and we look forward to working through with them this year and then, you know, kind of getting towards the GA by the end of the year.

Roger Boyd, Analyst — UBS

Makes a lot of sense. Thank you both.

Operator

Thank you. And the next question will come from Kingsley Crane with Canaccord, your lines open.

Kingsley Crane, Analyst — Canaccord

Hi, thanks for taking the question. Sumed, I guess just to start off, I'm kind of curious, how important is access to something like Mythos Preview just for your business at all? And then just in general, you know, talking about the growing marketplace of agentic AI solutions, you know, we've seen a pretty significant jump recently, even with just models like Opus 4.7. But what is the future of that type of integration with agents for the platform and, like, how relevant is inference as a line item for Qualys, you know, if you look, like, three years out?

Sumedh Thakar, CEO

That's a great question. I think it's less about a particular model and more about the direction that these models are going, right? And so I think for us, we have been leveraging other open source models as well, and we're excited to now be part of the TAC program from OpenAI, which gives us access to GPT 5.5 Cyber, which is an equivalent model for the most part to Mythos as an example and also part of the Cyber Verification Program. And since we have really been doing a lot of exploit and vulnerability research ourselves, These type of models, whether it be these two frontier models or other open source models that I've been using in my mind are definitely something that help us do a better job of figuring out exploits that we can safely create for our customer environment so that the customers can really test these at scale through the Qualys platform. It also helps us do a much better job at figuring out the right patches or the right mitigations. One of the key things that we have done at Qualys is really put a lot of research energy into coming up with mitigations that don't need a patch. People worry about patches, but we reverse engineer patches to figure out maybe there are other mitigations that can be leveraged to make sure that these mitigations can help the customer deploy a compensating control on the machine without having to deploy an immediate patch, which is extremely valuable for them when they only have a few hours to make a decision on mitigating a highly exploitable vulnerability. And that research is definitely, you know, what we have been doing as the models are progressing, these partnerships definitely help us accelerate and cover more and get more options to help our customers go through that. So I see that leveraging these models, either whether it's through research or integrating with them to pull findings from these models so customers can actually take their core findings and run it through the millions of Qualys agents that they already have installed to find the actual instance of that. or whether it is overall our own agentic AI solutions where we use different small language models, large language models to optimize the outcomes for whether it's Chad, whether it's an AI agent that is taking action. I think that is something that we look forward to continuing to partner with whether it's open source or these frontier models. And I do think that for any solution, it is going to be important to make sure that they leverage some form of AI capabilities. It's just that because we uniquely do the exploit validation and patching, we have a very interesting use case for use of these models.

Kingsley Crane, Analyst — Canaccord

That's really helpful. And for Jimmy, you know, it's great to see the continued efficiency in the business. You've talked about R&D growing a bit more modestly than sales and marketing this year. So with 2% growth year over year, is that about what we should expect for the rest of the year? and just, like, taking bigger picture in such a dynamic time for the cybersecurity market. I mean, what would get you to invest more in that line item and then understood that, you know, you're already very efficient there operationally? So I can appreciate that.

Joo Mi Kim, CFO

Yeah, currently what we're forecasting is optics growth in the mid-teens. Sales and marketing continue to grow well above the 15% mark. Last quarter it grew by 18% over a year. This quarter, 17% year-over-year. So with sales and marketing potentially ramping in the second half of the year, the rest of it that we've allocated is for the R&D for the most part. We do anticipate significant investments that we think that could be justified from a return perspective, especially with the AI investments that we continue to make in the business. So given that, we're guiding to mid-40s EBITDA margin, which is implied by the mid-team growth in Op-Ed.

Operator

Thank you. And the next question will come from Jonathan Ho with William Blair. Your line's open.

Jonathan Ho, Analyst — William Blair

Hi, good afternoon. I just wanted to better understand sort of the pre-breach risk management opportunity and how maybe this changes from prior approaches and what makes maybe Qualys better position than other competitors to offer this solution. Yeah, that's a great question, Jonathan.

Sumedh Thakar, CEO

I think it's not that it changes from the prior approach from a Qualys perspective. We have been building and innovating around the etm platform and the concept of a risk operation center the last couple years almost in preparation for something like this where we will see significant number of vulnerabilities coming our way but you cannot fix everything in an operation and you cannot play with vulnerability whack-a-mole where you're trying to jump from one vulnerability to another so the idea of creating a risk operation center and implementing that with etm has been to make sure that we are creating an outcome where things are fixed for the customer in a matter of hours and I think that's an approach that's different than a CTEM solution which is waiting for collecting data from different scanners and then creating some reasoning but then they don't actually do the patching they pass it off to somebody else to do the patching which again loses time as an example and so what I think we are seeing is the opportunity here is having created sort of this end-to-end. I mean, what's interesting is if you look at our demo that we did at RSA about AgentVal, AgentVal went from finding the vulnerability, validating the exploit, applying a mitigation, and then revalidating the exploit that it is fixed in under 15 minutes. I don't know if any CTEM solution can really do that where you get an outcome of something being fixed. And then with ETM, we have focused on the CRQ aspect of it as well, right? Just because the vulnerability and patch count goes up significantly, customers still need to think of this in terms of the business and the budget that they've allocated and how much of a risk to the business do these vulnerabilities carry so that they can make better decisions on prioritization. And that's again the other aspect of our ETM solution been integrated now with a cyber insurance company where if you have a good score on your, a good score that demonstrates you are actually doing the right cadence of fixing your vulnerabilities you can actually get a premium reduction for your cyber insurance which is a positive thing for your business and so etm really has been about taking the businesses quantification the the ctm the traditional ctm component but also pairing that with expert validation and remediation giving an end-to-end outcome i think I think what we are seeing now more is the customers who have been interested in this are now feeling like this is the time that they really need to look at this more deeply because of the number of vulnerabilities that are going to come their way. They feel like looking at a risk operations center and ETM and the ability to maybe some of the resistance that people have had in the past against autonomous remediation or patch management. And in the initial conversation we have had in the last couple weeks, we're seeing a bit of a change in the way people are thinking about this as given that the threat landscape has changed. So in that sense, it's a positive outcome for us to say that instead of other solutions where somebody else is scanning, somebody else is pulling the data, and somebody else is touching, the ability to go from detecting, validating, fixing, and revalidating in under 15 minutes is something that is really desirable. And doing that at A6 Sigma Accuracy is very desirable for our customers. So I think it's more that our platform really was innovated and designed for this, and now we're excited to see sort of these early conversations we are having with customers that are more interested in looking at this now because of the push coming from these front-end models detecting more vulnerabilities.

Jonathan Ho, Analyst — William Blair

excellent um just one quick follow-up you know does mythos potentially expand the number and types of assets that you would also cover as well as maybe accelerating you know sort of this adoption of more products on the platform you know to deal with the increased complexity thank you

Sumedh Thakar, CEO

yeah i think uh you know these models will be able to find vulnerabilities in any code base right and so i think that's where the comprehensive nature of the quality sensors whether it is detecting vulnerabilities on network assets, right, like let's say the traditional assets which have agents on laptops and other servers, expanding that into network assets or network-based assets like firewalls and VPN devices or cameras that are on the network or IoT devices. We already covered that. And then, of course, we also covered cloud and container security and a lot of these. And so I think what we are going to – what we are seeing right now is that customer interest in covering as much as possible more natively so that they can get quick scan results and not have to wait four hours to pull the scan results if they can do more and more of those natively. So I think given that the threat, whether your server is running on-prem or in a data center or if the server is running as a container in the cloud, the threat from a quick vulnerability exploitation coming your way is similar. The conversations do lead themselves to it and in a way the way ETM is designed, it is designed to pull data from all kinds of different capabilities, whether it's cloud or containers or others. And so there is more willingness from customers to say, today they are doing dashboard tourism they have a separate dashboard for code scanning a separate dashboard for cloud a separate dashboard for on-prem a separate dashboard for endpoints if there is a way to operationalize and consolidate all of these different types of assets into more of a unified workflow where agentic ai is is looking at it making you know autonomous decisions by looking at the the previous enterprise context and then minimizing and and then executing the minimum remediations, that is really where the focus of the customers is. So I think, again, how these conversations proceed will be interesting, but it does lead customers to say, I don't have necessarily the time now to go to look at eight different individual risk management dashboards when it comes to pre-risk breach management. If there is a way for me to pull different things, normalize all of that, and quickly focus on the ones that matter the most, and then actually validate with exploits and remediate those. That is the ideal solution.

Operator

Thank you. Thank you. And our next question is going to come from Rudy Kessinger with DA Davidson. Your line's open.

Rudy Kessinger, Analyst — DA Davidson & Co.

Hi, guys. Thanks for taking my questions. I guess I'm curious just on the ETM sales so far. Are you getting that full $1 uplift on those early sales so far? And then if we think about the 107% net expansion rate with those customers, I feel a little foggy on that. You're saying that includes customers who have purchased ETM in the past. I guess, does that expansion percentage include, you know, the upsell from them purchasing ETM, or if you could just break down that number a bit further?

Joo Mi Kim, CFO

Yeah, it's a little too early for us to comment on how much of the uplift actually is. The illustrative dollar uplift is based on more of a list price. the cohort of customers that have subscriptions to ETM is too small today. And so given that, what we decided to do was the number that we disclosed, 107%, that actually includes customers who purchased CSAM or ETM. And so the way that we calculate that number is one year ago from today, so Q1 of 2025, which customers had ETM or CSAM subscriptions? We took those customers and then the revenue that they generated in Q1 of 2025. So that would be the denominator. Took the same cohort of customers in Q1 of 2026 and looked at the revenue contribution from that group. And so we calculated that percentage. It doesn't just include the ATM or CSM subscription. It's a total spend by those customers. So what we're thinking is our hypothesis is these customers, theoretically, Whether they have CSAM and then eventually later upgrade to ETM, because ETM is essentially an upgrade from CSAM, or they start to purchase ETM, these board of customers will help to drive the total net dollar expansion rate eventually because they see the value in it. They'll be stickier with us, and then they'll resist in a higher upsell. So that's part of the reason why we're tracking this metric internally, to make sure that, one, we're successfully upgrading CSAM customers to be ETM customers, and two, is that really generating the type of upsell that we're looking for?

Rudy Kessinger, Analyst — DA Davidson & Co.

Got it. That's really helpful. I must have misheard it earlier on. And then secondly, how should we, you know, what does sales productivity look like? How has that been trending in the last few quarters? And, you know, just given the increases in sales and marketing expense outpacing the revenue growth, you know, is there a lot more marketing dollars in there or where all is that, you know, investment going in sales and marketing?

Joo Mi Kim, CFO

Yeah, majority of the increase in sales and marketing is still driven by headcount. So if you take a look at our headcount growth, it was over 10% for the sales and marketing that GTM said last year. And part of the reason is because we do see a huge upside in the business. And because we are focused on moving the business from direct to indirect, as we work closely with the partners, we have different sales teams, whether it's a sales team focused on direct sales or sales team focused on ETM sales or a sales team that are really focused on the channel management or relationship there. And so we do anticipate continued growth and continued investment in that team. And so as a result, the productivity is not necessarily the traditional SaaS view of it. It's not exactly where we think it will be in the future. We're working on it right now. There's room for increase in efficiency. I'm quite not seeing it there yet, like you pointed out, especially because, you know, we do see this is a time for us to invest more versus making sure that we scale that based on the productivity metrics that we see today.

Operator

Thank you. And our next question will come from Joseph Gallo with Jeffries. Your line's open.

Joseph Gallo, Analyst — Jefferies

Hey, guys. Thanks for the question. I believe you mentioned that your guidance today reflects NRR kind of stays flat, but yet, you know, ETM, you know, NRR is 107 and expected to grow. So how should we think about the potential timeline for acceleration of total NRR? And is there any pressures or offsets that we should think through that might keep that number flat over the next couple quarters?

Joo Mi Kim, CFO

Yeah, NRR has been around the 103-104% range for the last couple quarters. And the reason why we're still assuming for the baseline that to be the case is because ETM is still in the early stages. We don't anticipate a significant ramp in terms of the adoption of ETM that will result in the total company NRR rate to be taking on materially this year. So for this year, our baseline is taking into consideration the macro factors, you know, geopolitical conditions today, we do see some potential headwinds. Could be fully offset by the tailwinds, as Ahmed had mentioned earlier, with the increase in demand, given that, you know, our customers are willing to send more with us, increase in cybersecurity risk that we can definitely help to remediate. But with that said, all in all, our guidance assumes, you know, baseline case of growth more or less in line, definitely from the current billing perspective, revenue we've increased slightly just because of the beat that we saw in Q1. But overall, nothing has changed from the from the case that we saw earlier in

Joseph Gallo, Analyst — Jefferies

February. Oh, no, that's super helpful. Thank you. Just as a follow up, I mean, you mentioned kind of geopolitics, tensions. I think you made a comment in your opening remarks about closely monitoring the business environment, adjusting priorities accordingly. Is there any way to quantify, I guess, what you're saying? Is that mostly related to the war? Is there anything in terms of customer budgets and they're prioritizing AI spend today and not necessarily cyber? I'm just kind of curious what the actual math was behind some of those comments you made on macro and if

Joo Mi Kim, CFO

anything has changed over the last 90 days. Yeah, the way we're monitoring the situation is basically stemming from the conversations that we're having from our existing customers as well as new prospects. So when we're discussing potentially, you know, coming over to Qualys as a new customer or increasing their spend with us, whether in quarter cycle or out of quarter cycle, there could be disruptions during that discussion. So as an example, I would say that any announcements from open ai or or anthropic could could be a disruption as in as we're talking through it um it could be a factor now that could result in increase in sale from us um but it could increase the sales cycle and so that's why we're taking a look at the scenario there will be puts and takes there will be some gains there will be some offsetting factors and that's why we thought that you know the baseline if you model it out the way we view it today is more or less falls in the range that we had calculated at the beginning of the year.

Sumedh Thakar, CEO

Yeah, and so far in terms of budgets, we haven't seen any real changes there from customers or any conversations directly when it comes to cyber. I think it's state roughly the same, but as Jumi said, you know, just being prudent at sort of what potentially we should look at in the future.

Joseph Gallo, Analyst — Jefferies

That's reassuring. That's good to hear.

Operator

Thank you. And the next question is going to come from Shrenik Kothari, who is Mayer.

Shrenik Kothari, Analyst — Mayer

So in light of the Frontier AI agentic explosion and now with Agent Val to more broader remediation, you also emphasized the patchless patching, which I remember you've been specializing in and talking about in the past. So I know you've talked about early customer conversations. Just really appreciate if you would maybe point to some anecdotes, some proof points, how that can or is becoming a real budgeted sort of operating priorities for customers over and above, typically, as products customers like conceptually, but just what's really changing and anything you can point to and have a quick follow.

Sumedh Thakar, CEO

Yeah, like I said, I think I gave you an example of, we have been having quite a few customer conversations in the last few days, and I had a CISO of a very large bank in Canada sort of got on the call, and he's like, basically, look, our challenge right now is how do we get things quickly? and key scanner right now and who should we partner with for patching and when I was able to explain to them we already do the eliminate part, immediately he was excited about that so that he could go talk to his board that they're partnering with a solution that is going to help them have the ability as needed to rapidly fix and patch things and not wait for the IT team's patching solution to take days and weeks to patch things. And so that led to an immediate conversation of starting an immediate POC as an example, right? So again, it's early days. That's an anecdotal example. But we are seeing that pushback or resistance that we had for integrated patching and autonomous patching in the early conversations is coming with a, like, where they are asking, hey, do you have a patching capability? Because that's what I need to be able to explain, not that I'm finding more and scanning more, or I'm taking my scanning and I'm passing it off to some other patching solution, which is taking even longer. So that is an example of a good conversation that we had where customers were excited to have the ability to quickly find, remediate, quickly find, exploit it, verify it, patch it in a matter of hours and be done so they can show that level of success rather than just finding more things. So that would be an example of just something that happened two days ago.

Shrenik Kothari, Analyst — Mayer

Great. That's super helpful, Sumed. And just, Jumi, a quick follow-up. Following up to Joe's question on NRR, I just wanted to hear your thoughts on what moves the needle for this next leg of growth. I mean, you still appear to be guiding off sort of a base case with no real assumed NRR movement. You, of course, have Agent Wall in GA. There's better ETM mix. There's continued strength in channel, international. So can you help us understand, is it mainly just prudence about the sales cycles, as you mentioned, and you still need more proof points on monetization? Or there's also some legacy mixed drag, which is playing a role in addition to you accelerating higher value attached here.

Joo Mi Kim, CFO

Yeah, it's based on a historical track record of what we've been able to see. One of the reasons why we thought that this was the best metric that we could share with the investors today is because if you take a look at our historical products, whether it be CSAM or otherwise, it does take a bit of time for our newer products to take to our customers. So as an example, CSAM was actually launched in 2021. And if you take a look at the percentage contribution to bookings, ETM plus CSAM currently make up 11% of bookings on an LTN basis. So you can understand that how we're looking at the CSAM conversion or upgrade to ETM will likely take some time since ETM just went live and it's been in GA for a little over a year. So given that, we're assuming that this will take time for more of our customers to adopt ETM and that will translate to increase since then. That's meaningful enough for the total revenue growth. Got it. Thanks a lot, Julian.

Operator

Thank you. And the next question will come from Brian Essek with JPMorgan. Your line's open.

Brian Essex, Analyst — JPMorgan

Hi, good afternoon. Thank you for taking the question. I guess maybe one for you, Samad. On the back of, you know, the increased capabilities of foundation models in the security space and thinking about where you're seeing vulnerabilities across the spectrum where you have, you know, operating systems, infrastructure, both package as well as custom applications and then OT environments, the spectrum of fixability, if you will, across those different types of areas can be materially different, particularly, you know, for like hardware, some of it can't be patched, it might have to be replaced, custom apps that have to maybe need to be refactored. From your experience and what you're seeing from the foundation model companies, where is their expertise best placed for vulnerability discovery and potential exploitation? And how does that change the risk profile of your customers and how they may utilize your platform to mitigate those risks?

Sumedh Thakar, CEO

Yeah, great question. And I think helping software developers find more vulnerabilities in their code is definitely one of the key things there that these models bring and which will definitely lead to more discussion. But in theory, right, you could say that, well, if all software developers are able to find these vulnerabilities using the models, then you kind of don't necessarily have a zero-day problem because all these software developers will find the code themselves before the attackers do, and they will create patches, right? and then customers just have to focus on applying those patches. I think the other capability the frontier models are doing well is the ability to chain low-level vulnerability exploits that maybe have a lower CVS score and the customer might not have fixed those in the past because their score was low, but being able to chain a few of those to create an exploit. And that's where the advantage of the True Risk platform is very solid because our True Risk scoring, and we have demonstrated this multiple times that we are actually scoring low-level CVSS vulnerabilities as very high, about 40 days before they get added into CSACFs, as an example. So having the customers have that intelligence that we are bringing to their environment to say, look, this is a low-level vulnerability, but it is prone to be used in an attack and making sure that that is mitigated becomes important. Now, the third piece of what you mentioned is, I think it's perfectly fine to say that I'm not going to patch this, because my risk is low and that's a very individual organization level conversation that needs to happen which again with ETM and the True Risk platform, we are helping customers understand the context in their environment, understand the exploitability and make the determination that maybe it's perfectly valid to say we're not gonna patch this because we have mitigating controls in place and that's where we were again ahead of the curve when a couple years ago we introduced the concept of patchless patching is the ability to deploy mitigations for some of these environments where, yeah, you cannot necessarily patch an OT asset immediately like you would normally do, or even regular assets with operating systems and packages, but providing them a way to say, look, I think if you just delete this old DLL, which our agent can do for you, deleting a DLL or making a change to a registry key or something simple like that can actually prevent the exploit from running in that particular environment. And so that is the third piece of it which is perfectly valid with etm to say look less than 1% of the vulnerabilities are actually exploitable in your environment and then these are the ones we don't need to fix because we validated they're not exploitable but then to also be able to say we actually have a way to mitigate this with with a compensating control without deploying a patch makes it very interesting in fact one of the popular ones with our customers is we provide them the ability to see that the package that has the vulnerability is actually not being used on the asset for the last 18 months. So uninstall is actually a better option than trying to patch it. So that's why I call it the eliminate buffet, which gives customers multiple different choices because the goal is not a patch. The goal is to remediate and eliminate the risk. That's why the true risk eliminate with prioritization and validation becomes so important.

Brian Essex, Analyst — JPMorgan

Great, that's super helpful. And maybe if I could squeeze one in for Jimmy on QFlex. It sounds like, you know, that the programs targeted at large enterprise customers are already spending a meaningful amount on the platform. But are you, is there any potential for existing customers who may be ripe for migration to ETM where you can actually accelerate that migration by, you know, offering them QFlex as well?

Joo Mi Kim, CFO

There is. And so we are working with customers today. So we are working with a group of customers too, so that they can, they have an option of adopting QFlex today. And so it's, it's not stopping. It's just that we are planning to go pull out the HEA with it by the end of the year. So we think that there is definitely a potential where that could help us to drive growth.

Sumedh Thakar, CEO

And we do have those conversations with customers who are looking to do ATM. We start the conversation with QFlex, which is well-received, especially given this environment where so many new capabilities are coming, things are changing fast, and they need the flexibility. Even if you're not the largest enterprise, you still need the flexibility to be able to move things around pretty quickly. And in fact, enterprises that don't necessarily have a cyber budget, that is the size of the GDP for a small country, actually have the most value in many, many times from being able to do these kind of automations and say, like, I don't need to fix all these things because I validated they're not relevant in my environment, no matter what the frontier model says.

Brian Essex, Analyst — JPMorgan

Right. Makes a lot of sense. Thanks. Thank you for the color.

Operator

Thank you. This is all the time that we have for questions. We want to thank you for your participation. This will conclude today's conference call, and have a good evening.