Qualys, Inc. (NASDAQ:QLYS) Q4 2024 Earnings Call Transcript

Qualys, Inc. (NASDAQ:QLYS) Q4 2024 Earnings Call Transcript February 6, 2025

Qualys, Inc. beats earnings expectations. Reported EPS is $1.6, expectations were $1.35.

Operator: Good day, and thank you for standing by. At this time, all participants are in a listen-only mode. After the speaker’s presentation, there will be a question and answer session. To ask a question during the session, you will need to press star one one on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star one one again. I would now like to hand the conference over to your speaker today, Blair King. Please go ahead.

Blair King: Thanks, Gigi. Good afternoon, and welcome to Qualys’ fourth quarter 2024 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today’s press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. Reconciliation of GAAP to non-GAAP measures is included in today’s earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the Investor Relations section of our website. So with that, I’d like to now turn the call over to Sumedh.

Sumedh Thakar: Thank you, Blair, and welcome to our fourth quarter earnings call. Looking back to last year, I can truly say that 2024 was a year of incredible product innovation and rebranding of Qualys as we celebrate our 25th year anniversary. As one of the first SaaS security companies in the world, we have continuously strived to exceed market expectations and serve as the leader when it comes to software technology and cybersecurity. The message is clear. Today’s CISOs want to anchor cybersecurity conversations around business reflection and the impact of their cybersecurity spend. The market wants a platform that enables them to speak a unified language of risk to their boards and business partners while letting their teams pick the underlying platform and best-of-breed solutions for specific areas in cybersecurity, rather than an aspirational goal of consolidating 50 different cybersecurity vendors into one.

Recognizing the difficulty and complexity of implementing and utilizing multiple security solutions from numerous security vendors, we have evolved our platform, previously focused on vulnerability scanning and telemetry collection, to become a full-featured risk analytics and quantification platform bringing data analytics and insights with embedded AI models to customers while giving them the flexibility to continue to leverage their existing security tools. The net result for customers is a vendor-neutral outer layer that provides full visibility and risk scoring for an organization’s entire attack surface, aggregates and correlates all security findings, leveraging over 25 threat feeds, and powers a single AI-driven workflow that centralizes, quantifies, articulates, prioritizes, and remediates cyber risk, delivering the efficiencies of consolidation.

The rebranding and continuous enhancement result from our unwavering focus on product, our customers’ needs, and addressing their challenges with innovative new solutions. In 2024, this collaboration led to significant platform enhancements that bolstered our strategic relevance and furthered our market opportunity. We introduced Trulicity Eliminate to extend our remediation capabilities beyond. We enhanced our cybersecurity asset management capabilities with patent-pending technologies to turn previously unknown internal and external-facing assets into security-managed assets in real-time. We brought the micro attack prioritization matrix into the Qualys tools platform.

Blair King: Unified cloud infrastructure entitlement management, CIM, container runtime protection, Kubernetes posture management, fast security posture management, and our AI-powered truth insight capabilities into our total cloud CNAP platform with multi-cloud IT SME integration, strengthening our market position and further fixing the power of our platform. We went GA with our enterprise tourist management solution, setting a new gold standard in the industry for proactive cyber risk management and planting the flag for organizations to operationalize a modern risk operation center, ROC, at scale. In less than a quarter since going GA with ATM, we have seen strong interest with currently over 50 active prospects for POC. Our ATM solution goes beyond current continuous threat exposure management, CTM platforms, with our ability to speak business language, effect remediation actions, and partner with cyber insurance underwriters.

We believe these innovations will allow our customers to standardize on a trusted platform like Qualys, layering on top of their other existing cybersecurity solutions. With a long track record of solving the most challenging cybersecurity challenges, challenging use cases for our customers, Qualys pioneered the cybersecurity patching category, seamlessly integrating it into our platform and bridging the gap between IT and security teams. Last year, we successfully deployed over 100 million patches with Qualys Agent, in turn eliminating over 100 million potential incidents in our customer environment. Despite this achievement, our journey has shown that patching alone is simply not enough. This is why we introduced Trulicity Eliminate, which revolutionizes patching by empowering organizations to isolate critical assets or implement compensating controls, protecting against zero-day vulnerabilities and configurations when patches are not available or feasible to deploy.

This is a major competitive advantage, and our innovation does not stop there. We recently introduced Truist Uninstall as a fourth component to our Truist Eliminate package. Truist Uninstall allows organizations to hunt for, detect, and uninstall end-of-life software, misused or unused applications, and other forms of tech debt while removing one of the most highly exploited attack paths available to adversaries with a simple click of a button. In cloud, our innovation engine continues to execute at a high level. We believe we are increasingly well-positioned to expand our share of the evolving cloud market as CISOs look to evolve their space approach into multi-cloud environments as well. Advancing our competitive differentiation, we recently brought many new capabilities into our agent and agentless total cloud Synapse solution, including comprehensive attack path analysis, enhanced risk quantification leveraging your risk insight capability, and automated no-code, low-code cloud workflow remediation.

The latest release, which we call Total Cloud 3.0, unleashes an organization’s ability to easily visualize the entire blast radius of an asset’s attack path and systematically identify, prioritize, and resolve critical threats for pre-runtime and runtime protection. As a result, Total Cloud 3.0 is streamlining operations with an unparalleled outside-in and inside-out perspective of an organization’s cybersecurity posture for secure cloud consumption. In our view, Total Cloud 3.0 is one of the most comprehensive CNAP solutions available in the market today, and its growing momentum is a strong testament to the assurance customers place in Qualys every day. Finally, with the introduction of Qualys Total AppSec, we are now providing customers with the ability to expand their app sec assessments into expanding attack surfaces with the use of APIs for B2B and mobile apps.

Qualys Total AppSec includes comprehensive inventory and credit assessment of their web applications and APIs with unified malware detection and automated response. Moving on to the business update. Over the past several months, I personally met with many customers, prospects, and partners. These conversations all center around the same topic. Customers require a holistic view of the cyber risk when it is quantified and prioritized, articulated in terms of risk to their business, and remediated to an acceptable level in a single integrated workflow on top of their existing. Given Qualys’ blueprint for delivering these requirements with greater value to customers, our technologies are not only fueling new local land but also helping to increase broader platform adoption, especially in the areas of VMDR cybersecurity management, patch management, cloud security, and now the risk operation center delivered by Qualys ATM.

With thousands of customers consolidating on Qualys’ enterprise risk platform, let me again share a couple of recent wins which illustrate why these companies are turning to Qualys to help unify their solution security tools, quantify cyber risk in their environment, and fortify their security operations. First, an existing global 100 multinational insurance company security team with multiple tools in their environment faced increasing personnel costs and struggled with limited visibility into their overall risk profile. Through a highly competitive RFP process, this customer chose Qualys and launched an initial collapse of their security stack. They ingested data from other cybersecurity tools into the Qualys platform, enriched asset context with business information brought by their CMDB integration, and centralized the remediation.

This includes the purchase of eight Qualys modules and deploying VPN to begin orchestrating the ROC, resulting in a seven-figure annual bookings fee. We are now quickly migrating numerous data sources to the Qualys platform and delivering the outcome of consolidation and quantifiable risk and automated response aligned with business priorities. Turning to the momentum we see with the Total Cloud Synapse solution, in a mid-six-figure booking upside with a global shipping conglomerate, this existing VMDR cybersecurity asset management, vulnerability scanning, and customer assessment remediation customer launched and initiated the further unification of their security stack and replaced its incumbent cloud-only security vendor. Through its evaluation, this customer remarked that alternate point solutions added complexity to their operations, lacked integration, and missed detection, which hindered their ability to assess risk and consolidate their security tools.

Today, through a highly scalable natively integrated CNAP solution, this customer is leveraging the Qualys Enterprise Service platform to combine insights built to run by the proactive risk management while actively detecting anomalies, preventing zero-day attacks, closing security gaps, and remediating risk with IBM integration through a single dashboard across its on-prem, hybrid, and multi-cloud assets. These capabilities provide the visibility and automation necessary to defend against today’s adversaries and represent a significant long-term opportunity for Qualys. With seamlessly integrated solutions, they would deliver natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time, and costs less.

As a result, customers spending $500,000 or more with us in Q4 grew 13% from a year ago to 207. Consolidating workflows is not just happening with customers. It is also embraced and prioritized by our partners. Underscored by an increasingly strong mix of new business and significant growth, we continue to endorse our partner-first sales motion. Partner-led deal registration and win rates increased in Q4. In addition, with the launch of ETM, many of our security service providers are now deeply engaged for the first time in delivering new managed risk operations and ROC services encompassing risk quantification, security tool integration, risk monitoring, and Gotcha. Similar to how MSSPs monetized the SOC for post-breach response, the MROC is now a new frontier for MSSPs to capitalize on the centralized and automated approach to pre-breach risk management.

Partners are actively spearheading these new initiatives with Qualys as their MROC platform of choice. Turning to our executive team update, I would like to congratulate Dino DiMarino, our Chief Revenue Officer, who has decided to accept a CEO role at another company. I wish Dino well and thank him for his contributions during his tenure at Qualys. As we continue to focus on executing our product-led growth vision and partner-first strategy, I plan to oversee the sales organization while continuing to grow and scale the sales group. We are fortunate to have a talented next-level team of regional sales leaders who are energized by our competitive position in the market and ready to drive our business forward. With our FedRAMP high-ready platform anticipating FedRAMP high certification in 2025 and our continued investment in federal GTM, we are excited about the opportunity as the federal government looks to change the way things have been done in the past with costly on-prem solutions and move to cloud-based, more effective, and cost-efficient solutions for cybersecurity risk management.

In summary, I could not be more confident in our market position and opportunities for growth over time. Our leadership as a trusted security platform is a clear reflection of Qualys’ dedication to continuous innovation, delivering value to customers, and transforming cybersecurity risk management. Looking ahead to 2025, we will continue our disruptive innovation further as well as our go-to-market investment and execute our strategic vision with a balanced approach to long-term growth and profitability. With that, I’ll turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first quarter and full year 2025.

Joo Mi Kim: Thanks, Sumedh. Good afternoon. Before I start, I’d like to note that except for revenues, all financial figures are non-GAAP, and growth rates are based on comparison to the prior year period unless stated otherwise. We are pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $607.6 million, netting an adjusted EBITDA margin of 47%, even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 16% to $229 million and $6.13 per diluted share, respectively, and free cash flow reached $231.8 million or 38% of revenue, all of which exceeded our expectations for the year.

Turning to fourth quarter results, revenues grew 10% to $159.2 million. The channel continued to increase its contribution, making up 48% of total revenues, compared to 44% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 18%, outpacing direct, which grew 3%. Fifteen percent growth outside the US was ahead of our domestic business, which grew 7%. US and international revenue mix was 58% and 42%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2025 to remain stable with ongoing budget scrutiny persisting for the foreseeable future. Reflecting this sentiment, in Q4, our growth retention rate remained approximately at 90%, and our net dollar expansion rate came in at 103%, unchanged from the prior quarter.

In terms of product contribution to bookings, patch management and cybersecurity asset management combined made up 15% of total bookings and 24% of new bookings in 2024. Our cloud security solutions, Total Cloud CNA, made up 4% of 2024 bookings. We attribute this success to our customers’ needs for broader contextualized awareness of their attack surface, with natively integrated risk management and remediation workflows across all environments on a single platform. Turning to profitability, adjusted EBITDA for the fourth quarter of 2024 was $74.2 million, representing a 47% margin, compared to a 46% margin a year ago and 45% last quarter. The stronger-than-expected performance resulted from our targeted optimization efforts, which was part of our 2025 planning process.

Consequently, operating expenses in Q4 remained relatively flat to last quarter. Our sales and marketing investments grew moderately, by 5% from last quarter. EPS for the fourth quarter of 2024 was $1.60, and our free cash flow was $41.9 million, representing a 26% margin compared to 22% in the prior year. In Q4, we continued to invest cash we generated from operations back into Qualys, including $5.8 million on capital expenditures and $42.3 million to repurchase 312,000 of our outstanding shares. As of the end of the quarter, we had $143.4 million remaining in our share repurchase program. We are pleased to announce that our board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $343.4 million.

With that, let us turn to guidance. Starting with revenue, for the full year 2025, we expect revenues to be in the range of $645 million to $657 million, which represents a growth rate of 6% to 8%. For the first quarter of 2025, we expect revenues to be in the range of $155.5 million to $158.5 million, representing a growth rate of 7% to 9%. This guidance assumes no material change in our net dollar expansion rate, with moderate growth contribution for new business in 2025. Also, realize that there may be some near-term adjustment to the plan, given the upcoming CRO departure. We will be sharing updates as we make progress throughout the year. Shifting to profitability guidance, for the full year 2025, we expect EBITDA margin to be in the low 40s, implying an 18% to 20% increase in operating expenses and free cash flow margin in the low to mid-30s.

We expect full-year EPS to be in the range of $5.50 to $5.90. For the first quarter of 2025, we expect EPS to be in the range of $1.40 to $1.50. Our planned capital expenditures in 2025 are expected to be in the range of $8 million to $13 million. For the first quarter of 2025, in the range of $2 million to $4 million. In 2025, we anticipate gross margin to contract by approximately 1%, given certain investments we are currently making in some of our data centers, to achieve greater operational efficiencies and reduce medium to long-term marginal costs. With respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical.

As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing, and engineering with a more modest increase in G&A. With that, I’ll turn it over to Ned, and I would be happy to answer any of your questions.

Q&A Session

Operator: Thank you. Our first question comes from the line of Kingsley Crane from Canaccord Genuity.

Kingsley Crane: Thanks for taking the questions, and congrats on a great quarter. So again, you have so many great products in the portfolio. We’ve seen some others in the space opt for more of a consolidated consumption plan that simplifies pricing and can get more products in the hands of customers. So any thoughts on creative packaging opportunities over this next year?

Sumedh Thakar: Yeah. That’s a great question. I think, as I mentioned in my script, really, customers are looking at ways that they can anchor how they’re looking at their cybersecurity spend by looking at their business risk and how they’re able to articulate that spend by reducing business risk, and that is a combination of bringing Qualys modules where they’re available, bringing data from third-party solutions where they’re available. And so as we are early in the journey right now with ETM and the amazing feedback that we’re getting right now from the early adopter customers for ETM and the POCs that we’re going, I think as an evolution of that, we continue to look through the year at getting feedback from these early customers on how we can help them adopt the broader platform, both in terms of the integration, but also pricing.

It is something that we will be continuing to review throughout the year to see where we are operating opportunities for packaging, that sort of a model anchored around the adoption of ETM rather than individual modules.

Kingsley Crane: That’s great to hear. Intimate with Dino’s departure, it sounds like you’re going to oversee sales efforts a bit more hands-on. You recently had taken on a bit more with product and marketing as well. So just wondering any updated plans on or thoughts on your bandwidth and if you’re looking to hire and just how you plan to balance your time.

Sumedh Thakar: Yeah. Thank you. I’ve done this a few times in the past, and I’m happy to jump in periodically to help as needed. You know, again, we thank Dino for being part of the team, but you have been working on this for a while with the product team, not just the CRO. And our 2025 planning has been in a good place. So now it is really about focusing on execution. And as you see, a key part of our execution is celebrating the success that we’re seeing with our engagement with the partners and how can we pivot more towards a partner-oriented GTM strategy, which means that the focus is a little bit less on your direct and growing direct and more on how do we partner with our partners both from lead gen, pipeline gen as well as execution on closing deals, etcetera.

So I think we continue to focus on executing that, working closer with partners, and aligning our sales leadership with that. The good news is that our sales leadership below, you know, is very strong. Many of them have been here even before Dino joined us, and they are very connected, dedicated to the mission. And so I look forward to continuing to do that. I think on the product side, we have great leaders on our CTO, Billy Petrani, as well as our SVP of product management. Both have been here for over ten years and really driving working with me, the execution that is needed on the product side, again, aligning to our vision of delivering capabilities like MROC, which will encourage our partners to do more with us, not just from the GTM side as well, but also from the product side.

So again, for us now, it is really more about finding the right leader who understands our partner focus and will be leaders who will be working with us on making sure that we’re not necessarily focusing on the direct side of growing the business, but more around focusing on how do we pivot our partner focus and make sure that all the different parts of the business are going in that direction.

Kingsley Crane: Makes sense. You definitely have the deep bench. For the time.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Matt Hedberg from RBC Capital Markets.

Mike Richards: Hey, guys. This is Mike Richards on for Matt. Thanks for taking the question here. Maybe I want to go back to Dino’s departure and, you know, appreciating that you probably already had your sales kickoff here, and you had a plan for the year. But what are some of the changes that maybe we could expect or that you think could really improve the sales motion this year, given his exit and you taking the reins here?

Sumedh Thakar: Yeah. We really finished our planning for 2025 towards the end of last year, and now it is about executing on the sales focus with our sales head group that’s helping essentially manage the sales team globally, SVP of product, SVP of partnerships, and then our VP of sales ops and enablement. And so as I talked a little bit about this, and you saw the release of MROC, which is our partner-focused managed services platform, as well as really focusing on working with our partners on how do we increase the deal registers, how do we leverage essentially our margin to make sure that we are able to balance bringing customers to these partners, but also how these partners can actually create revenue for themselves with services that they can anchor around the Qualys platform with consolidation of multiple different capabilities with risk quantification, remediation, etcetera.

And so for us, really focusing on the pillars of how are we going to make sure that we, you know, last year, as we said, the goal focus was partner-led for new business. We started at the end of last year, and this is our key execution this year. It’s how do we also work on our existing business, which has direct customers, to leverage that relationship with our partners to potentially bring them some of our direct customers while working with them on a partnership where they bring us, like, new logos, so that we can execute towards creating more opportunities for ourselves. So there are multiple different things that we’re focusing on that, as well as focus on our federal business, which is something that we are excited about, the potential opportunity.

So we’ll continue to execute on that aspect as well because our current contribution to the business from federal is extremely small, and so there continues to be a much larger opportunity there. So it’s really about how do we pivot our execution, which has been a mix of direct and indirect, to reduce the friction that is there and then build the confidence with our partners by not only giving them that confidence of the business, we can bring them that is direct with us, but also giving them a potentially significant revenue stream by adding services around the Managed ROC capability, which we are seeing a lot of global enterprises gravitate towards, given that it adds a layer on top of their existing tools.

Mike Richards: Great. And then I just want to ask on Total AI. I mean, it seems like there is such a big opportunity there. So, you know, maybe stepping back, has there been any early customer feedback on Total AI? How are you thinking about it in terms of a growth driver for next year or maybe picking up steam? And then, you know, it’s I know it’s all greenfield, but who else are you seeing when you’re going in and talking about Total AI? Is there anyone else doing what you’re doing here? Or anything else on just competitive dynamics there?

Sumedh Thakar: Great question. I think if you look at the journey of AI, it’s evolved over the last couple of years. I think, yeah, 2023, a lot of people started looking at that. In 2024, lots of POCs took place in many companies around leveraging LLMs, and then as we get into 2025, we are going to start to see deployment of more and more AI elements into actual production environments. We saw a little bit of that starting to happen in Q4. And so the questions from customers really are about what are the things that they can do to check and workloads. And, you know, the first question we ask is, well, how many do you have? And they cannot even answer that. And so in that sense, the Total AI capability and you probably saw our recent blog.

We pointed our Qualys Total AI to DeepSick and found a whole bunch of issues. And it’s really about helping customers get that level of comfort that whatever they are putting out in the production environment is not something that could be jailbroken. It’s not something that is leaking information that it should not. It is following compliance guidelines as well as detecting vulnerabilities in this. And so in that sense, the way we see it is Total AI is fairly unique because we’re actually able to leverage our existing footprint in the customer environment to first help discover their AI workload so they don’t have to deploy another solution to discover AI in the first place. And then once we discover those AI workloads, we’re actually able to scan them using the scanner, the agent that they already have from Qualys, and then provide them that visibility.

So early feedback has been very good. In fact, in our strategic advisory board, when we asked our strategic advisory board CISOs to pick the area that is top of mind for them for 2025, AI security came up the most. So we look forward to those engagements turning into paid opportunities. However, CISOs are also going through this right now trying to figure out how are they going to pay for this, where does that come from, do they get additional budget, are they going to get additional risk for security, are they going to move some of the money around from their existing budget given their overall increase in cyber spend is not that significant. We don’t anticipate it to be that significant. So I think right now, it’s a little bit early for us to know what kind of impact it is going to have.

But the opportunities that we are starting to see build up are definitely encouraging and positive. And in that sense, the way we are scanning AI, we feel that it’s pretty unique. And that’s the feedback that we’re getting from customers is this is a great way because they look at it as, like, the eGates at immigration. Right? Like, the security team will scan that LLM before it goes into production and then give a thumbs up or a thumbs down. That they can go back and see it. And again, if you want to see the kind of things that our scanner is able to detect, you can read our blog on when we pointed it to DeepSick, what are the things that we found around that. So we’re excited about that. We just want to monitor really how that opportunity is going to evolve.

And yes, it is greenfield, but also depends on how much additional budget resources will be able to get from their CFO into this year versus next year in terms of investing more in AI security, and we expect that to start this year and have a gradual ramp into the next couple of years.

Mike Richards: Great. Thanks again. Congrats.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Rudy Kessinger from DA Davidson.

Rudy Kessinger: Hey. Thanks for taking my questions. You know, the last two quarters now, you guys had pretty good outperformance on both revenue and current calculated billings. I guess, just particularly in Q4, just what relative to your guidance and expectations, what came in specifically better than expected? I know you said you had a weaker Q4 pipeline going into the quarter, but again, pretty strong revenue, current calculated billings in the quarter. And then just as I look at the guidance for Q1 to next year, it doesn’t seem like you’re really expecting that to continue, particularly in Q1, with the revenue decline expected. So I don’t know. Was there anything maybe one-time in Q4 that drove the upside, or I’m just trying to put together the strength in Q4 and Q3, but not really seeing that continue in the guidance that you’re providing.

Joo Mi Kim: Yeah. The second time is, like, 2024. Current billings, if you’re taking a look at that, it was higher than the bookings performance, partly due to the invoicing cycle. But if you take a look and look at the revenue in Q4 and predict, we did have better linearity, a little bit better on the renewal in terms of how the deals closed in the quarter that did have an impact on the revenue that we booked in Q4. Looking into Q1, one of the reasons why Q1 was a little bit light is because, I mean, we’re not taking into any consideration from the late renewal slippage into Q1, and then plus the fact that the number of days in Q1 is lower by two relative to Q4. And then looking at the full year, one of the assumptions that we’ve kind of made was if you take a look at our net dollar expansion rate, currently at 103%, which is great from the perspective of it’s stabilized.

However, if you take a look at a year before or even two years ago, it’s down. So taking that into consideration, looking at the trajectory of the business, we are assuming no improvement in net dollar expansion rate going into 2025. And then also the fact that we are taking that partner-first approach. Right? So which means that with the partner business currently making up 48% of revenue in Q4 relative to 44% a year ago, we are expecting that trend to continue into 2025, which could have a shorter-term negative impact on the growth.

Rudy Kessinger: Okay. And on the new logo front, I know for the first type of orders in 2024, you’ve called out, I think, double-digit year-over-year growth in new logo bookings. I know Q4 was a tougher comp, but where did that land in Q4? And I know you’re giving that expectation on DBN and ER, they remain steady, 103%, like, what is your expectation then on new logo bookings growth in 2025? It would seem to be it’s expected to be weaker growth than 2024.

Joo Mi Kim: Yeah. That is the assumption that we’re making right now because in Q4, like, last quarter earnings, we had called out the fact that Q4 looked to be a little bit light from the new bookings perspective, and it actually did turn out to be that. We were a little bit disappointed with the new bookings performance and then the amount that it added to the revenue growth rate. So we’re kind of assuming that it will continue on that path into 2025 where we’re not expecting meaningful growth in the new business, especially particularly just because we are more focused on landing new logos through our partners. So we’ll be working with them very closely to see what kind of incentives that we can offer them so that they can really go out into the market and help us to get new customers in.

Rudy Kessinger: Okay. That’s all very helpful. Thank you.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Shrenik Kothari from Baird. Shrenik, your line is now open. Please check your mute button. Again, Shrenik, your line is open. Please go ahead. One moment for our next question. Our next question comes from the line of Josh Tilton from Wolfe Research.

Mark: Thank you. This is Mark. Can you take on for Josh Tilton? Just one quick question. We’ve heard several vendors talk about conservatism related to the federal vertical and the administration change, and we just wanted to ask how are you thinking about that for the coming year in terms of potential opportunity and how it’s factored into the guidance. Thanks.

Sumedh Thakar: Yeah. We’re super excited about the opportunity. Right? And I think what exactly the administration will do on a day-to-day basis, I think it’s like your guess is as good as mine right now with all the things that are changing. However, I think the narrative from the new administration has definitely been about not doing things the old way and really bringing more efficiency in everything that the federal government is doing. And so we look at that as opportunities for us because, you know, many federal agencies for many years have been using on-prem vulnerability assessment capabilities that are, you know, arcane. They are costly to maintain. Need a lot of hardware. Need a lot of people. And so as we await our FedRAMP high certification, which will then make our platform as one of the only FedRAMP high platforms that does vulnerability management, patch management, EDR, risk management, all in a single platform, we are excited about the potential opportunities that it can bring.

We continue to invest in our federal team. That is one of the things we’re focusing on this year. Focusing GTM, growing the team as well on the federal side, and with that, it’s just a little bit hard right now to know when we will get that federal high certification this year with administration changes, but we are hopeful for that. And once we get that, that can open up quite a bit of opportunities for us. But hard to tell right now what impact it’ll have on 2025. So we’re not factoring that anything majorly in it right now. But overall, given the narrative on being able to bring efficiencies and being able to modernize the infrastructure and moving in a more positive direction, we think we’re well-suited to capitalize on that versus, you know, on-prem older on-prem solutions that have been incumbent there for a while.

Mark: Okay. Thanks so much.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Yun Kim from Loop Capital Markets.

Yun Kim: Great. Thank you. Quick question on the enterprise true risk management or ETM. It seems like that’s a clear differentiator for you guys out there, and it’s definitely something that, at least, I’m keeping an eye on. If you can just talk about the overall go-to-market motion around ETM, the competitive landscape, and, you know, obviously, heavily leveraging the channel this year. Is this a product that could be leveraging to the channel? Not just direct. Thanks.

Sumedh Thakar: Yeah. That’s a really good question, you know, especially if you look at right now, we don’t believe we see any other solution in that space that is as comprehensive as ours because you have some aggregation solutions that are very focused on vulnerability aggregation, but they don’t do risk quantification. There are some that do some risk quantification, but they don’t do the aggregation part as well. And definitely, we don’t see anybody who’s kind of doing that also doing a good job at remediation. So if you look at the Qualys ETM platform and the concept of the risk operations center, which a lot of our CISOs are super excited about because they don’t want to go to the board for an annual strategy and say that they just want to implement another solution for multifactor authentication as their strategy.

They want to be able to say, we’re building out the risk operation center just like ten years ago, we built our security operation center for threat detection. We want to do proactive risk management, and the ETM platform enables bringing out a risk operations center. And that’s why because it provides the risk quantification, it provides the ability for the CISO to be able to have a conversation. Today, they say we fixed so many things and we had so many issues, but that doesn’t mean anything to the business. ETM allows them to go out and be able to say, look, our $500 million business has a potential loss of $10 million a day. And currently, based on risk signals from multiple different products, the possibility of that happening is high.

And if we invest $500,000, we can bring that risk down to an acceptable level. And so now it is a much better conversation that the CISO can have with the CFOs to say, look, we can invest $500,000 in this particular area of cybersecurity, and it will bring down the potential of losing $10 million a day by 80%. That’s a much better conversation is how they look at it, and that’s the feedback that we have gotten. And we don’t see other platforms out there right now that are really enabling that. I think the GTM definitely evolves for us this year. As ETM comes out because now it’s less about a replacement conversation about your existing vulnerability management solution. So our new business sellers can really go out there and say that’s okay.

You can keep the current solutions that you have if you have this cloud provider and that vulnerability provider and that identity provider, we are not here to have an immediate replacement conversation. We can easily take the data from all of them, and we can show you a consolidated view of the risk coming from all these existing solutions, which makes it a little bit easier for the CISO to not have to go for a fight with their internal teams to replace a tool that is already working well for them just because they’re getting some additional credential discount. So it essentially means our new business sellers, any customer that has any cybersecurity tools, that becomes a potential customer for us, for acquiring new logos and doesn’t have to take that long as it would if you’re replacing another solution.

Our post-sales team, they get an opportunity for existing customers that might have some other solutions for cloud security, for EDR, to then go and layer that on top, and you already had one customer that has a well-known cloud security provider just for their cloud estate, then they are purchasing the ETM capability, paying us additional revenue on top of what they’re paying the cloud provider to consolidate those findings into one. Right? So it gives us an opportunity to make revenue on top of any investment that the customer might have made in other tools as well. But also from a partner perspective, you know, I mean, as we work with partners, of course, the partners have been selling our computer solutions for a certain margin, and, you know, you could give them a little bit more margin here or there, but that doesn’t move the needle as much.

However, many of the providers who are resellers, etcetera, are moving to figuring out how they can increase revenue significantly with managed services. Because services are where they can make a lot of business. And so today, with the deployment of ETM where our largest customers are actually the ones who are looking at deployment, they need services around that. And services for risk quantification, service for aggregation, service for risk monitoring, service for risk elimination. And these are brand new services. So these partners today are in the MDR provided by many people. But the reason why partners are excited and can potentially bring even more business to Qualys is because every business of purchasing Qualys products that they bring can add additional services for them on top of Qualys that they can generate revenue on.

And so that is where a key part of what we are doing, and you saw the reason that we did with MROC really about enabling ETM to be delivered to our partners for the most part so that partners are excited about larger deals bringing those to us. And also, they don’t have to constantly get in the conversations of replacing tools to make additional revenue. So a little bit of a longer answer, but it’s something that is definitely an interesting way for us to tweak our GTM and have less replacement conversations and more about consolidation and letting them use their existing proof that they have because honestly, when we talk to CISOs, very few of them, if at all, are actually thinking that they’re going to replace all of their tools with a single vendor.

Yun Kim: Wow. I can tell that you’re very excited about the opportunity around ETM. So just another question around the investments that you’re making around the indirect channels. You already talked about the opportunity around MSSPs. But what about the hyperscalers and CSPs? Is this something that could be also deployed on the cloud environment as well, meaning the CSP environment?

Sumedh Thakar: Yeah. For sure. Right? I think today, if you look at, you know, you can have this cloud security solution that is either provided by the CSP or it’s provided by, you know, one of these cloud-only solutions. But, you know, when I asked these, so I said, okay. That’s great. So now you know you have 75 buckets that are open, but how does that impact your business? Do you know how you stand to lose because of these buckets open? And they cannot answer that question because a lot of times, the risk may not be in the cloud directly, but the risk might be coming from malware that is on the laptop of the admin who is looking to access that particular cloud account. And the cloud-only provider cannot pick that up, but then the EDR provider will pick up the risk.

How do you tie these two things together? And that’s where something like ETM can be useful, and as our larger customers, you know, they are working with the different cloud providers, and they have EDP credits with different cloud providers, and they can leverage those. We continue to work with them to find ways that we can essentially map customers that have other tools but can actually use their credits to purchase things like ETM as well or working with partners who can then transact through some of these cloud providers for the credit. So I think those are also opportunities that we are continuing to explore. We recently had a conversation with a cloud provider exactly around that. And so that’s an area that we continue to push forward this year as well.

Yun Kim: Okay. Great. Thanks, and good luck with the ETM this year. We wish you the best around that.

Sumedh Thakar: Thank you very much.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Jonathan Ho from William Blair.

Jonathan Ho: Hi. Good afternoon, and congrats on the strong result. Just wanted to understand sort of relative to your guidance how we should be thinking about the level of investments that you’re making this year and maybe where you see the most opportunity to leverage that either relative to your go-to-market comments or on the product side.

Sumedh Thakar: You. I think for us, we continue to evolve the product, and then so there are opportunities for us to work with our partners on things like MROC, but I think the focus continues to be on GTM investments. That’s where we are again tracking returns, seeing the success we’re seeing with partners. And so it’s really going to be about how do we continue to find ways with our partners to invest in GTM, but pivot more towards working with partners to bring them business so that they can bring this business, doing co-marketing, joint marketing, etcetera, investing in roadshows around MROC, etcetera. And then, you know, investments in the federal business, which is something that we want to continue to do. So those are essentially the areas that we are looking to do.

I think the product development area is something that we do well and we do very efficiently as well. And so we will continue to add capabilities there. And, of course, there will be certain investments in solution architects and the functions around to surround the sales team with success, being able to go out and do POCs around MROC and around ETM, etcetera. But that’s really how I see where we’re going to be continuing our investment and not necessarily so much on engineering and product increases.

Jonathan Ho: Got it. Got it. And just as a quick follow-up. I mean, I think we’ve seen a lot of emphasis around true risk and total Cloud in our conversation. How do you think about this approach of selling on the bundling side and potentially what that uplift looks like from a revenue standpoint? Maybe not immediately, but over time. And, you know, how do we think of that, especially along the axis of adding additional product versus adding additional assets? Thank you.

Sumedh Thakar: Yeah. We are actually excited about the opportunity we see that as ETM, which is ETM has become a layer on top of the different cybersecurity capabilities that the company has, and ETM becomes the layer through which the CISOs really interact with the platform. And so the way we see that is that it’s those who want to adopt ETM, the platform play becomes actually quite interesting because now for ETM, they can actually adopt inventory. They can adopt vulnerability management, cloud security, some of these modules from Qualys as they need, and then also bring data from other third parties as well. And so as we get feedback from our customers, we do see that ETM can allow us more conversations around, well, here’s a platform that is going to essentially pull in the things that you, the basic things that you need for your initial risk management, and then you can layer on by using additional spend for third-party data coming in.

And as we learn through these conversations with our initial customers, I think that is going to inform later this year on how we come up with the packaging and bundling around ETM that includes multiple Qualys modules. Today, we are already seeing conversations with our existing customers where they are actually looking to buy additional Qualys modules just because they integrate into a singular score. Right? That’s the idea is that instead of getting all these big lists, and when I talk to CISOs and ask them what is the risk posture of you today, they show me ten different dashboards from ten different tools, but that doesn’t say anything about how much risk a particular entity in their environment has because every single tool is reporting a different set of findings.

So TruRisk anchors to say, well, why should I buy AppSec from Qualys versus somebody else? Because the Qualys AppSec is already built into the platform, and there is no additional cost right now to use that within ETM. So it’s like you can bring AppSec data from a third party if you would like. So we’re open to that, but then they pay for the data ingestion. Or if they use the Qualys module, which we already have, then they don’t have to pay for the ETM ingestion license as an example. And that is an incentive potentially for them. So as we roll this out, we will get feedback from customers and see how that increases our attach rate for additional products. And then how do we come up with the pricing that allows them to adopt more capabilities as part of ETM without having to create purchase orders every time they want to try something new.

So in a way, how do we find a way to give them access to bundle or at least to have access to multiple capabilities from Qualys with the spend that they have with us. So these are things that we are working through right now and that we are excited about getting feedback from our customers, and that should inform how we roll out bundling and pricing at some point later this year.

Jonathan Ho: Excellent. Thank you.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Brian Essex from JPM. This is on for Brian Essex. Quick question. I guess, you’ve now provided your revenue guidance for the year. How should we think about billings, especially with the strong billings that you had the last two quarters? Will it follow a similar trajectory to what you provided for revenue guidance? And overall, like, how should we think of it throughout the going throughout the year? Thanks.

Joo Mi Kim: Yeah. For current billings, we ended the year at 9% and total revenue growth rate 10% for 2024. We just assume for now since we don’t provide current guidance, you can assume the same current guidance growth rate in 2025 as a revenue guide is 6% to 8%.

Brian Essex: Got it. Thanks. And I guess a quick follow-up. Can you help me understand, like, what do you think still needs to happen in the channel to see investments translate to top-line growth? I know, like, overall, investments in the channel can be a lagging effect versus just investing in direct. Like, at what point do you think you’ve invested what you need to do? Is it just that you need to continue with product knowledge overall? What still needs to happen?

Joo Mi Kim: Thanks.

Sumedh Thakar: Yeah. I know. This is a multiyear program that we launched a couple of years ago, and, you know, initially, it was just repairing our relationship with partners and building confidence and getting initial deal register up. We evolved that strategy into going to lead, you know, new business partner first, which was sort of the next step. This year, we are focusing on working to see how we can take some of our direct customers to the partners and have them bring us additional, like, new logos for having this partnership. The evolution, acceleration of that is, you know, the margins and the percentages are fine, but how can we help them make ten dollars of services revenue on top of a dollar of product revenue potentially.

Right? That’s what the evolution of MROC is. And so I think we internally, of course, we continue to track our deal register to continue to track our win rates with partners. I think it’s pretty clear that we’re having good success with our strategy so far. And so now it is about everything towards that. And, you know, we I think you have done a pretty good job of going from 60-40 down to 52-48 split while mainly reasonably maintaining our margin. And so I think that’s a testament to the way that we are thoughtfully tracking our investments and working with our partners. So we continue to work with our partners and continue to improve our deal ranges and move our progress over partners. And part of that is, you know, we’re doing a lot of investment, spending time with them at SKOs, providing them opportunities for upsells with collateral and material, and then also a lot of training that we are doing with these partners so they become aware of the Qualys capabilities and how to pitch some of the Qualys capabilities.

So those are all areas that we have been investing in, and we continue to invest there.

Brian Essex: Thanks. Thanks for taking the question.

Operator: Our next question comes from the line of Hamza Fodderwala from Morgan Stanley.

Oscar Sabero: Hi. This is Oscar Sabero on for Hamza. Thank you for taking my question, and congrats on solid results in the quarter. Going back to guidance, you know, last quarter, you noted expectations for ongoing budget scrutiny to proceed going forward. Today, you’re expecting NRR to sustain at around 103%. And if I heard correctly earlier, you noted expectations for, you know, near-term potential adjustments to guide to incorporate the CRO transition. So, you know, can you help us bring all that together and how should we think about the level of conservatism?

Joo Mi Kim: Yeah. I think our guidance for this year takes into consideration all the points that you just laid out. I think that the biggest growth drivers in our business are still our existing customers. So if you take a look at our net dollar expansion rate, having ticked down consistently for the last couple of years, because of where we just ended in 2024 at 103%, we’re assuming no improvement to that 103% entering 2025. And given the light new bookings performance in Q4, and we’re assuming that will kind of continue into 2025, that’s informed our guidance of 6% to 8%. And this is what we see today, and we thought it was prudent for us to guide based on what we see today versus, you know, like Sumedh talked about, there’s a lot of opportunities in the business and upside within your product, like ETM working very closely with partners to drive new local land as well as expand.

But, again, that’s the timing of realizing that and recognizing into revenue is a little bit uncertain.

Oscar Sabero: Got it. Very helpful. Thank you very much. That’s it for me.

Operator: Thank you. At this time, this concludes today’s conference call.