As you saw I talked about a couple of our partners have started now to actually provide patch management-as-a-service based on the Qualys patching in addition to the VMDR, right? So now — and we already have a couple of smaller partners that we’re doing that is an artsy Orange and Kudelski starting to do that those partners are also helping us have these conversations with the customers because sometimes the partner has a better access to the IT team than we do directly from the security. So having these partners starting to adopt patch management is also very exciting because now they are actually taking patch management to these customers and helping push that. And so I think it’s a combination of helping overcome the silos of IT and security, showing the success that we have had and then our partners really taking us out there and multiple of our customers at our user conference and QSC, including GE and others talked about how they are actually successful with our patch management solution and our cybersecurity asset management solution with external attack surface.
So I think it’s a combination of all these multiple things and that’s one of the reasons that I’m looking forward to make this as a year where we invest more while — and we are in a good place with the ability for us to grow our sales and marketing head count when a lot of others are having to risk and reduce their sales marketing expense. So I’m excited and I think that’s where we’re looking to see how we can make an impact from those investments this year.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Aidan Perry from Piper Sandler.
Aidan Perry: This is Aidan on for Rob Owens. Thank you for taking my question. I just wanted to ask, if you could touch upon the comments made with the sales mix geographically. Can you elaborate on the comments made to keep the US and foreign sales mix around 60/40 and the thought process on foreign investments in the future?
Joo Mi Kim: Yeah. The way we’re thinking about it is we have a huge opportunity, because we have a large target addressable market. And for us, majority of our growth will be driven by our platform play where if you talk about the Patch Management, CSAM, TotalCloud, all these products are relatively new to Qualys. And this is where we think that we could — we have a huge opportunity across all different regions. So we do plan on investing not only in Americas but also internationally as well. So we expect the growth to kind of continue as is. If you take a look at the prior years, there have been some periods where the outside international revenue growth would be faster than the US and vice versa. And so that’s why we gave the guidance. We expect it to be approximately similar 60-40 going forward based on our investment plan for 2024.
Aidan Perry: Thank you.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Shrenik Kothari from Baird.
Shrenik Kothari: Yes. Thanks for taking my question. Sumedh, you highlighted the TruRisk platform and how it’s aligning with the customer priorities under these tighter budgets with the CISOs getting to monitor the ROI. So, of course, the early feedback you said is pretty positive and kind of underscores the platform’s potential. Now, you mentioned about capitalizing the rolling up of multiple modules. But there are others out there who have started kind of monetizing or at least planning to monetize such kind of high-level dashboard that’s as kind of stand-alone payment SKUs, given the demand potential in strength. Is that a model that you are considering or potentially can consider? So that’s — I have one quick follow-up as well.
Sumedh Thakar: You mean other solutions that are integrating different capabilities together stand-alone solutions?
Shrenik Kothari: Yes. And the dashboard in itself becoming a kind of monetizable stand-alone SKU at some point?
Sumedh Thakar: I see what you’re saying. Yes. So I don’t — I think we’re still early in the game to have a specific pricing model that we have released. We are working with our customers to understand that. But see the advantage that I see over sort of stand-alone dashboard consolidating product is, first is the customers already have Qualys. So instead of having Qualys and then buying another solution to pull data from Qualys and other solutions into that the dashboarding solution itself is operational challenge for them. The second thing is that, none of those solutions actually do elimination or help into getting the customer to fix those issues that they find directly onto the platform. And so today our focus is not necessarily on monetization of the dashboard itself, but it is about if you get that particular dashboard are you more inclined to say I’m just — I don’t want to get five different point solutions and build a dashboard myself.
I would rather just buy five modules from Qualys and then the dashboard already providing you. So the dashboard in fact becomes the enabler for you to try to get these additional modules from Qualys. And then the upsell from there becomes that, I can also help you fix this by leveraging Patch Management and mitigation. And the TruRisk Eliminate that we talked about is also very exciting, because patching sometimes have some resistance, because people don’t want to deploy a whole patch but now with TruRisk Eliminate, we are providing other mitigation options that the customer will be able to deploy that do not require a patch to be deployed. They can actually make them fix changes through Qualys and fix some of the things on the asset itself, especially in a zero day.
So the idea there is really about the platform being an organically developed single platform. And so the dashboard is what unifies everything together. But the unified dashboard is the reason why you would consolidate multiple modules rather than getting five different products from five different vendors and trying to do it yourself with a sixth vendor.
Shrenik Kothari: Got it. Sumedh, that’s super helpful. And just very quickly a follow-up for Joo Mi. So you mentioned about the channel partners compared to direct sales. Again, the channel partner’s growth is going to — far outpacing the direct sales 16% with a 6%. So can you kind of provide some color around kind of how is that being factored into the overall margin trajectory and margin guidance for the year? And is that the right assumption? Or you guys are essentially kind of consuming a different mix to end the year with? Sorry, if somebody already asked the questions.
Joo Mi Kim: Yes, no problem. So it’s already factored in. And what’s really interesting for us is and this is something that we have mentioned at the beginning when we started to really think about how to better our partnership with different channel partners. If you take a look at our mix, right? Channel partners used to make up like approximately 40% of our revenues, and that’s trended up to 40%, 41%, 42% and ending the year 2023 was 43%. It really didn’t have much of an impact on our gross margin. And if you take a look at our EBITDA margin as well, you can kind of see it had — it’s not really tied to the percentage increase from the partner mix going from 40% to currently sitting at 43% for the total year 2023. And that’s why we think that it will slowly continue to step up with it being 44% for Q4, maybe a percentage or two, we don’t think that it will be a meaningful impact to our margins.
Shrenik Kothari: Got it. Thanks a lot.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Brian Essex from JPMorgan.
Brian Essex: Hi. Good afternoon, and thank you for taking the question. I guess, Sumedh, the question for me is basically set around SecOps and cloud security. I mean, the two segments that are — we’re seeing quite a lot of demand for and growth across the industry. So, I guess the question is with your — what seems to be an approach of landing with a Cloud Agent based risk management strategy and then expanding into what seems to be some pretty robust features and functionality in those emerging segments, any focus on shifting the strategy to lead with SecOps with cloud security and then cross-selling risk management? And just kind of wondering, if there’s a way to adjust the strategy to capture some of that demand as opposed to leading with risk management. And then maybe a part B, particularly on cloud security, any headwinds there if that might be a bit of a different sale than the overall risk management platform?
Sumedh Thakar: Great question. So that’s what I mentioned that we are quite pleased, again, with smaller numbers, but in the last couple of quarters to see that net new business is coming to us with interest in cloud security. And to the question that you asked, we’re finding that our — we have a fairly robust solution now. It’s not just the cloud agents. We have CSPM built in, we have now acquired Blue Hexagon, which gives us some malware capability as well. And so we’re finding that our sellers are actually a lot comfortable with pitching and providing the POCs for the cloud security solution as well even in our SME, SMB segment where there is kind of a smaller POC cycle, et cetera. So that’s encouraging for us. And so that’s the reason why, like I said, this year, we are looking at part of our sales marketing investment is to do cloud security specific demand gen to bring people who are looking for cloud security directly to us and not just the VMDR piece.
And so those who are looking for cloud security, then we can say, look, a lot of these top big vendors that have cloud security-only solutions, those customers that, in anyway, end up using Qualys Cloud Agent in the cloud for a much better comprehensive vulnerability management. And so then they have two consoles and they have to leave all of those together. And so with us kind of providing a package all-in-one solution and providing a single view of the risk on the normally cloud environment, but in the non-cloud environment, that is an area where we’re looking, we’re continuing to work with our team on GTM, enablement from a sales enablement perspective and with our launch of TotalCloud 2.0 today, providing SaaS capability, which is a big differentiator where any CISO is concerned about the O365 configuration and really — but does not have a good way to see that today.
