QLYS - NASDAQ

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Third Quarter 2024 Investor Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. [Operator Instructions]. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King, Investor Relations. Sir, please go ahead.

Thank you, Michelle. Good afternoon and welcome to Qualys' third quarter 2024 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest form 10-Q and 10-K. Many forward-looking statements that we make on this call are based on assumptions as of today. And we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release prepared remarks and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

All right. Thank you, Mr. King. And welcome to our third quarter earnings call. Q3 was another quarter of rapid innovation for Qualys, reflecting our ongoing commitment to technology leadership, cybersecurity transformation, and successful outcome for our customers. As I have focused on product management and marketing the last few months, I have personally spoken to many CSOs who are struggling with way too many security tools from shift left to run time, creating too many findings that are overwhelming the IT and dev teams, leading to multiple siloed top 10 dashboards and an inability to articulate the true risk to the business stakeholders. They are feeling the pressure to articulate the ROI of their security spend and rationalize the security spend in context of the risk to the organization to their CFO, CEO, and board members. Risk can only be mitigated if it is remediated and performed in a timely manner. There is an immediate desire to stop playing the risk whack-a-mole and establish a properly operationalized risk management process by implementing a modern risk operation center. At our recent QSC event in San Diego, we ushered in the next era of cybersecurity innovation by announcing the GA of enterprise through its management solution, which is the world's first cloud-based ROC. ETM performs siloed data into cohesive real-time risk management solution by consolidating Qualys and non- Qualys data from several technology design partners, including Wiz, AWS, Microsoft Defender, Oracle, Okta, and Forescout. The result is a single, comprehensive, AI powered platform that aggregates security findings, unifies threat intelligence, and provides organizations with actionable, enterprise-wide insights to prioritize and remediate cyber risk with unique business context and financial impact via cyber risk quantification. Unlike some exposure management platforms in the market that only expose the exposure based on data their sensors collect and provide no remediation capabilities, Qualys ETM comprehensively provides a single risk view that goes beyond vulnerabilities, across code repositories, on-prem, cloud, container, remote endpoint, identity, OT and IOT findings from multiple existing security tools in customer environments along with patching and remediation capabilities. With ETM, Qualys has set a new gold standard in the industry for proactive cybersecurity risk management: cyber risk orchestration is coordinated, quantification is comprehensive, remediation is transformed, and the enterprise-wide ROC at scale is a reality. We see many parallels between this new market opportunity and the early days of VMDR, including a significant greenfield opportunity and being early to market. I encourage all of you to watch the video describing our ETM powered ROC in more detail at qualys.com. We also announced the mROC, which will enable many managed service providers to deliver services on the Qualys ETM as a managed Risk Operations Center. Lastly we announced a cyber insurance company is going to provide Qualys ETM customers with additional discounts on their premium for lower TruRisk scores shared directly from ETM, allowing customers to transfer residual risk to their business. With a ROC delivered by Qualys ETM, we are now empowering C-level executives and security teams with out-of-the-box, instant, and actionable insights into trending risks specific to their vertical and mapped to their own data to preemptively identify prevailing threats well in advance of a potential security incident. With this new app which we call TruLens going GA soon, CISOs and security teams are immediately be notified of potentially impacted IT and OT assets within their environments, the materiality of those assets to their business, the associated impact to their overall risk score, and are equipped with the ability to make remediation frictionless and immediate with a simple click of a button. Alongside several other exciting new announcements at QSC San Diego, we were pleased to commence GA of both our TruRisk Eliminate and Qualys TotalAI capabilities, marking another milestone in Qualys' 25 year history of cybersecurity innovation. We are pioneering these categories, and both are key differentiators on our platform. These new approaches to cybersecurity risk management, along with several others on our roadmap in the coming quarters, arm our customers with the tools necessary to navigate an increasingly complex threat and regulatory environment, streamline security operations, and reduce cost. Moving to our business update. With many of our customers already embracing Qualys to help rearchitect and consolidate their stack, Qualys' VMDR has translated into an enviable customer base, broad adoption, and notable industry recognition. As recently announced, Qualys' VMDR with TruRisk was recognized by GigaOm as a comprehensive risk-based approach to vulnerability management and a leader in the category for the fourth consecutive year. We believe Qualys' placement as a leading vulnerability management solution further validates our investments in the platform and continues to represent the high-water mark for securing customer environments today, and in the future. Given Qualys' demonstrated track record for delivering greater value to customers, our VMDR solution with TruRisk is not only fueling new logo lands, but also helping to increase platform adoption, especially in the areas of Cybersecurity Asset Management with EASM, Patch Management, and Cloud Security. Let me share a couple of recent wins, which illustrate why companies turn to Qualys to help consolidate their security tools and fortify their security operations. In Q3, one of my favorite wins was a large federal government agency becoming a Qualys customer. This new customer was previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their security, IT, and DevOps teams. In addition to the complexity of using multiple point solutions, this government agency was frustrated with increasing costs associated with on-prem deployments, the inefficiencies of operating siloed systems, and elongated remediation efforts. Looking to migrate to a natively integrated, cloud-based, FedRAMP High Impact level Ready solution that meets the CISA Binding Operational Directives, we displaced five of their existing vendors in a seven-figure bookings deployment using multiple Qualys modules right out of the gate. These initial deployments included Cybersecurity Asset Management with EASM, VMDR with TruRisk, Patch Management, Policy Compliance and EDR. Through this highly strategic and competitive win, this customer is now able to leverage unified dashboards that provide them with greater insights and automation than any of the competitive products they evaluated, while taking full advantage of a natively integrated platform. This win, alongside a separate seven-figure upsell with an existing large government agency customer, and a significant state win, are a testament to our ongoing investments to expand our federal, state, and local government business in the United States. Continuing our global platform expansion, I’m pleased to announce the IRAP in Australia has recently assessed Qualys at the Protected level. This achievement opens the door for Australian government agencies and commercial organizations looking to comply with the ACSC Essential Eight strategies as well as their PSPF requirements to meet their country’s most stringent security and compliance standards. Our successful assessment follows Qualys' approval as a cybersecurity service provider to the Victorian state government for vulnerability management services. Qualys was selected through a highly competitive and extensive vetting process, and is being bundled into a managed service delivered by E&Y. Turning to the momentum we're seeing with our TotalCloud CNAPP solution is a mid-six-figure bookings upsell with a financial services company in the global 200. This existing VMDR and CSAM customer selected TotalCloud to scale their container deployments to over 70,000 hosts, monitoring millions of Kubernetes container images daily. Through its evaluation of competing cloud security providers, this customer determined that alternative point solutions added complexity to their operations, lacked integration, and missed detections, which hindered their ability to assess risk and consolidate their security tools. Today, through a highly scalable, natively integrated CNAPP solution, this customer is leveraging the Qualys Enterprise TruRisk Platform to combine runtime insights with proactive risk management while actively detecting anomalies, preventing zero-day attacks, closing compliance gaps, and remediating risk with ITSM integration through a single dashboard from code to cluster. These capabilities provide the visibility, automation, and cloud hygiene necessary to defend against today's adversaries and represent a significant long-term growth opportunity for Qualys. Our growing leadership in the cloud market was also recently recognized by Gartner in its July 2024 Marketguide for Cloud Native Application Protection Platforms. With seamlessly integrated solutions delivered natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time, and costs less. As a result, customers spending $500,000 or more with us in Q3 grew 15% from a year ago to 200. Consolidation isn’t just happening with customers, it’s also embraced and prioritized by our partners where we continue to see an increase in new customer deal registrations, and cross-sells. We believe the expansion of our partner program continues to reflect our strengthening brand awareness and strategic position in the market. In summary, we believe our natively integrated platform that comprehensively measures, communicates, and remediates cyber risk brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise TruRisk Platform. With a unique opportunity in this environment to further strengthen our strategic position as the partner of choice for customers looking to rearchitect and consolidate their security tools to solve modern security challenges, we believe we can continue to grow long-term, maintain best-in-class profitability, and invest in key initiatives aimed at further extending the gap between Qualys and the competition. With that, I’ll turn the call over to Joo Mi to further discuss our third-quarter results and outlook for the fourth quarter and full year 2024.

Thanks, Sumedh, and good afternoon. Before I start, I’d like to note that, except for revenues, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. Turning to third quarter results, revenues grew 8% to $153.9 million with channel continuing to increase its contribution, making up 47% of total revenues compared to 43% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 17%, outpacing direct, which grew 1%. By geo, 14% growth outside the U.S. was ahead of our domestic business, which grew 5%. U.S. and international revenue mix was 58% and 42%, respectively. In Q3, we saw some stabilization in the selling environment but believe ongoing budget scrutiny will persist for the foreseeable future. Reflecting this sentiment, our gross retention rate remained largely unchanged at approximately 90%, but with stronger upsell performance our net dollar expansion rate came in higher at 103%, up from 102% last quarter. We continued to see a positive growth trend in new business, achieving a double-digit growth rate for the fifth consecutive quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 15% of LTM bookings and 24% of LTM new bookings in Q3. Cloud Security solution, TotalCloud CNAPP, made up 4% of LTM bookings. The foundational theme underpinning these results is the power of our Enterprise TruRisk Platform to help customers consolidate cybersecurity at scale. Turning to profitability, reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2024 was $69.7 million, representing a 45% margin, compared to a 48% margin a year ago. Operating expenses in Q3 increased by 12% to $61.8 million, primarily driven by a 18% increase in sales and marketing investments aimed at capturing the market opportunities in front of us. As we continue to increase our investment intensity and focus on sales and marketing enablement, customer success, and productivity, we believe we will be able to drive wallet share and long-term returns. EPS for the third quarter of 2024 was $1.56, and our free cash flow was $57.6 million, representing a 37% margin, compared to 64% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $3.4 million on capital expenditures and $44.9 million to repurchase 344,000 of our outstanding shares. As of the end of the quarter, we had $185.7 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2024, we are now expecting our revenues to be in the range of $602.9 million to $605.9 million, which represents a growth rate of 9%. This compares to revenue guidance of $597.5 million to $601.5 million last quarter. For the fourth quarter of 2024, we expect revenues to be in the range of $154.5 million to $157.5 million, representing a growth rate of 7% to 9%. This guidance assumes lighter new business this quarter based on current pipeline and continued deal scrutiny from existing customers with no meaningful change in our net dollar expansion rate in Q4. Shifting to profitability guidance. Factoring in the better-than-expected profitability to date, we expect full year 2024 EBITDA margin in the mid-40s and free cash flow margin in the mid-to-high 30s. We expect full year EPS to be in the range of $5.81 to $5.91, up from the prior range of $5.46 to $5.62. For the fourth quarter of 2024, we expect EPS to be in the range of $1.28 to $1.38. Our planned capital expenditures in 2024 are expected to be in the range of $12 million to $16 million; and, for the fourth quarter of 2024, in the range of $5.5 million to $9.5 million. Adding additional context, we are currently making certain investments in some of our data centers to achieve greater operational efficiencies and reduce medium-to-long term marginal costs. These investments pressured gross margin in Q3 by approximately 1%, and we anticipate a similar contraction in Q4. With respect to operating expenses, in Q4 we expect to continue to prioritize an increase in investments in Sales & Marketing aimed at driving more pipeline, supporting sales, enhancing our partner program, and expanding our federal vertical with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

Thank you. [Operator Instructions] And our first question comes from Jonathan Ho with William Blair. Your line is now open, sir.

Congratulations on the strong results. Sumedh, can you talk a little bit about some of the changes that you've implemented on the product marketing side, and maybe help us understand maybe what that impact could be just moving forward? It seems like your CNAPP products did quite well this quarter.

Yes, thank you. Great question. So, I think where we see the opportunity really is aligning overall messaging around the different modules to the messaging around business risk and risk quantification that we have been talking about, which is really helping customers sort of -- there's a lot of people talking about single grade of glass and platformization and different things and just bundling products for the sake of bundling. I think for us, as we launched the ROC, which is a big sort of announcement that we made around QSC, which is really bringing all the things that we're doing in cybersecurity together from a risk operationalization perspective. At the end of the day, how much money you spend on cybersecurity is really directly proportional to how much risk you perceive to the business, and a lot of CISOs struggle to even articulate that. So, if you don't necessarily have a good view of how much risk you have to the business, how do you decide on how much you should spend on the different areas of cybersecurity? And so, with product marketing and product management really, we have really focused in the last couple of months on realigning our messaging to the risk message instead of just individual modules and products. Of course, the journey that we have started on, but really being able to have that quantification conversation with a single risk score across all the different capabilities in the platform and bringing in third-party tools so we are not getting into the conversation of replacing existing tools. We're saying, if you have these tools that you like, you can keep those, but we can bring the data into the Qualys platform and give you that very simplistic view of essentially what is the risk so you can articulate that risk to your management, to your board, and that is resonating extremely well. So, when people are saying, I want to consolidate different tools or bring data together, it is really at the end for the purpose of understanding what does it mean to have so many different risk factors affecting a particular business entity. What does that mean in terms of how much risk do I have to the business? And so, this change in marketing, product marketing, the announcement of the ROC as well as the mROC, a lot of these things are very new in the way that we have announced them at our QSC event.

Excellent. And then, just for Joo Mi, can you talk a little bit about the strength you saw this quarter in terms of the net retention? And should we expect things to maybe trend towards this positive direction just given the release of the new products and the new bundles that you put together? Thank you.

Yes. We were really pleased with the outperformance and the upside, especially after a few consecutive quarters of a tick down and a dollar expansion rate. So, we're pleased to report that it's increased back up to 103%. Now, with that said, what we're assuming for the guidance is no material improvements in Q4 based on the current deals in play and what we're seeing in the business today. We are optimistic in the longer term that we will see that continue to tick up, but for the purposes of guidance, we are assuming no material change right now.

And the next question comes from Roger Boyd with UBS. Your line is open.

I want to touch on the channel. You continue to sound pretty confident in the opportunities that are unlocking there, particularly with the new platform offerings with mROC. It's clearly shown up in the revenue numbers, but I wonder if you could just expand on the momentum you're seeing there and maybe to what extent was channel a material contributor to the pretty strong 3Q billings growth here? Thanks.

Yes. I think at a high level, we are happy with sort of the journey we started a year, year and a half ago around really focusing more with our partners, channel partners to bring a business to us, increasing deal rates. So, we're seeing positive momentum there. And I think as we're seeing that momentum, what we are really looking forward to is embracing the strategy, which is our partner for strategy, right, for both a new business and for upsells. We're looking to say, how do we work with our partners and pivot more and more towards helping them not just bring a resale deal to us, but with the launch of the mROC, how can we enable these partners to now provide some meaningful services to the customer? For a long time, MDRs and managed SOCs have been something that they have been focusing on. But a lot of our partners now are excited that after a few years, they actually have the ability to now provide some really fresh new services in cybersecurity that are relevant to the customers, especially around providing a risk advisory service, a risk quantification service, and a technical service around ability to ingest data from multiple different tools, a prioritization, ongoing risk monitoring service around the ROC, a board reporting service so that they can have reporting that actually is meaningful to the board. And then of course, a remediation packaging service where they can actually take packages. And so, for us, we see as we work with our partners and AT&T company level blue signed up as the first mROC partner and expanding from just channel partner, just managed service providers to even cyber insurance companies that we're talking to is that partnership that can essentially help to say if you invest a certain amount in building out a risk operation center, that can give you benefit with lower risk scores and getting out of this like too many alert fatigue to actually focus on saying that this can actually give us a meaningful discount on our cyber insurance premium because we have set up a ROC with a TruRisk score. So, we see that a lot of things that we're doing really is about how do we embrace this partner for strategy across the board and creating products and capabilities and service that actually our partners can offer services on top of what we do and not just picking and reselling the capabilities.

And our next question comes from Patrick Colville with Scotiabank. Your line is open.

Congratulations on a very healthy print. I guess I want to focus specifically on the current billing's performance, which is highly impressive. The question I'm getting is, were there any deals, remind me, that was pushed from 2Q into 3Q or were there any deals that were signed in 3Q that were maybe kind of pulled in for 4Q? I mean, I guess, were there any one-offs maybe is kind of phrased more succinctly this quarter with the current billing's performance?

There were, but not outside the normal course of the business. In any given quarter, we do have some deals that get pushed out and then pulled forward. And so, it was a typical quarter from that perspective. With that said, when you take a look at current billing, it does get impacted by the billing schedule and the contract terms for the customers. And I would say that, the 14% that we just posted, it is higher than the booking's performance just based on the billing schedule. And so, one of the things that we do take guide to is, if you take a look at it on an LTM basis or even year-to-date basis, that helps to kind of smooth out the lumpiness in current billing. And so, I would say that's probably more indicative of the business momentum that we see today.

Very helpful. And so, I guess, I mean, you're just touching this now, but I guess I want to zoom in on exactly what you said. So, is using kind of an LTM basis the best way to get a kind of normalized view of what things might be next year? Appreciate you're not providing an early guide. But is that kind of mid to high single-digit level the right level on a forward-looking basis? Or should we expect more like a double-digit performance like this quarter?

Yes. It's a little too early to be commenting on next year, but because of the focus on current billings, I would say that, look like the best guide that we could give right now, the indication that we can give for Q4 is more or less in line with the revenue growth guidance. So, we're guiding to 7% to 9% revenue growth rate for Q4. And I would say that current billings, we are expecting it to be more or less trend in that direction.

Terrific. Thank you so much. And well done for a really great print.

The next question comes from Kingsley Crane. Your line is open.

Really impressive results. I'm sure it's gratifying for the whole team. I just want to get a little bit more granular on what drove the strength from a product perspective. It seems like with TruRisk and TotalAI, that those are really going to be more meaningful over the next couple of quarters and years. Thanks.

Yes, great question. Look, I think overall, we're happy to see we're in a good quarter. We're happy about that. I think I'd like to see the pickup in the NRR that we saw this quarter. We're happy with multiple quarters of new business growth that we have seen, though, as you mentioned, looking at sort of the Q4 pipeline, we expect some of the new business stuff to moderate a little bit. But having said that, our federal investments like that we have been making, we saw some good momentum and good deals with upsells and new business from the federal side as well in Q3. And we're happy with how our total cloud solution has been evolving and also the kind of performance that we saw from a Q3 bookings perspective, as you saw, VMDR or vulnerability management is really shifting with people buying more patch management that's part of VM solutions rather than just scan-only tools. And so you see that reflected in 15% of the LTM total bookings being patch management and CSAM. And then 24% of new bookings, LTM bookings are cybersecurity asset management and patch management in addition to VMDR. And so the new product capabilities that we are providing with VMDR are driving the net new business coming to us because people are saying, instead of just moving from a scanning-only solution to another scanning-only solution, they're buying patch management, they're buying cybersecurity asset management in the first purchase itself. We're also seeing some of them buy the cloud security solution in the first purchase itself. And so as we continue to put more training, more resources, more product marketing around the total cloud, and then the risk operation center, ETM driving it. We're also seeing some very, very positive early conversations with customers around TotalAI. Because what is happening right now is a lot of IT teams are getting ready to deploy some form of AI into production next year. They're coming to the security team and saying, hey, can you guys certify this? And most security teams today don't have any idea what to test from an AI/LLM security perspective. And so with Qualys TotalAI providing almost like a point-and-shoot scanner for AI that tests jailbreaks and some of the common AI vulnerabilities and giving a thumbs up or a thumbs down is really the perfect recipe for what they're looking for at this point of time. So we're seeing that momentum building up as well. And so as we get into next year, we're looking forward to continuing that momentum with patch management, cybersecurity asset management, bringing on more customers who are looking at cloud security solution consolidation as we are seeing wins against the established cloud-only players that are the ones in the market. We're seeing wins against them. One of those we highlighted here as well. And then also we are seeing that the amount of interest in the ROC and the ETM is very, very high. Our strategic advisory board CISOs, we are seeing a lot of them eagerly waiting to test this, try this, and really hitting a key point of contention that they are seeing with their management and their board. And so we feel like as we get into the next couple of years with growth on cloud, federal, ETM and AI are really building up some very, very nice potential growth opportunities for us over the next couple of years.

Great. That's really helpful. And Sumedh, I just want to take a step back and circling back to the departure of Pinkesh, the Chief Product Officer in September, which had been planned. I mean, what have you learned operationally over the past couple of months? Do you feel like you have the appropriate bandwidth? It seems like you do. It seems like things are going well.

Yes. I do. I think it's always good to get back in and see. And like most places, you just get people to talk to each other. What a wonderful impact that can make. And so I think, as I stepped in and brought the product management, product marketing teams together, and we were able to really just in a very quick period come up with this branding of risk operation center, which is a wonderful way of describing instead of calling it security data lakes and all kinds of different names that people are struggling with, it resonated really well. And this just came from the creativity of our product management and product marketing teams sitting together and saying, what are we eventually offering our customers instead of coming up with some very fancy terms and names, like it's literally just a risk operation center that helps them operationalize the cyber risk. And so I'm able to really see that enthusiasm in the team coming together. And you're seeing some of that with the messaging and the clarity and the crispness of the messaging that is coming out of Qualys now, as we've evolved ourselves from just being a vulnerability scanner into a really much bigger broader platform for risk management and not just scanning and finding vulnerabilities.

And the next question comes from Joel Fishbein with Truist. Your line is open.

Sumedh, just to follow up on the product questions, really interested in TruRisk Eliminate, seems like a very differentiated product. Love to hear what the early feedback is, and when does it specifically go-to-market, and when do you expect revenue to come from the management platform altogether? Thanks.

Thanks, Joel. You always ask the product question. I like that. So it's really, TruRisk Eliminate is very interesting. So I mean, if you recall into the history a few years ago, when I introduced batch management, there was a lot of pushback at the time. The analysts were not quite ready for that, and the market and competition today hasn't really picked that up. But batch management has become a real differentiator for the vulnerability management solution that we have, which has really helped us evolve our vulnerability management solution. And our customer spend has really been now distributed between scanning and patching with us. And while there were initially some questions on, would anybody buy patch management from a vulnerability scanning vendor, today, just this year in 2024, Qualys agents have deployed 78 million patches in our customer environment, right? So we are looking at some significant uptake in the patching cycles from our customers and the number of devices that they are patching, et cetera. However, patching is a little bit of a political battle in the customer environment between IT team and security team, and so we run into that sometimes. It's also an operational challenge, right? The more patches you deploy, the more opportunities that something could go wrong, and so there is hesitation on patching, though it is required. So with TruRisk Eliminate, we have come up with a very nice packaging that not only does patch management that we have done, but it also now provides the ability to mitigate the issue without patching. So our agents can actually deploy very specific mitigation because we study how attackers go about attacking a device, and we can make some small changes to the device that will prevent the attacker from being successful even without deploying a patch. And this is really something that our customers are really, really looking forward to because those who cannot buy patch management can now buy the mitigate capability because now they're saying, look, we're not buying patching, but we're buying something that allows us to mitigate the risk, and also it provides the capability of isolation. And so we're seeing some highly regulated environments where they're saying, look, if I cannot patch, I cannot mitigate, I'm going to actually take the machine off the network because it has way too much risk, and I just cannot take that kind of a risk. And so this packaging is something that just rolled out to production this quarter, and so as we start to get this messaging out, we talked to our strategic advisory board members. They were very optimistic about that because it helps them address the IT political challenge internally, but it also helps them address the zero-day challenge where there is no patch available, and the devices are being attacked. We can actually provide solutions for that. And so I'm looking forward early next year for that momentum because now we just go back to our existing customers who have patch and say, hey, here's an upgrade that you can buy that allows you to also bring mitigate, and those who are resistant to patch management can now actually purchase the mitigate capability as part of the eliminate where they say, well, I'm not patching, but I can actually buy this additional capability. So lots of interesting opportunities, and as we start to roll this out more broadly and getting early adopter customers using it, we're optimistic for this to be something that we will see more momentum next year.

And the next question comes from Rudy Kessinger with DA Davidson. Your line is now open.

Congrats on a strong quarter, particularly on revenue and billings. Similar to Patrick's question, I guess I'm curious on the revenue outperformance in the quarter. One of your largest, I think, as a public company, if not your largest relative to your guys, it sounds like upsell being better than expected was the primary driver, but I'm curious if that was it or anything else to it. And in particular, on the upsell, just was it a handful of large upsell deals or was it broad-based better upsell than expectations?

Yes. From an upsell perspective, it was more or less broad-based, and we were really pleased with our performance just because if you take a look at the recent quarters, because we've been underperforming not only in Q2, but it's been continuing to kick down from a net dollar expansion rate. We were conservative in how we were viewing the potential results of Q3. And so with our net dollar expansion rate finally going back up to 1% or 3%, it was really primarily driven by the upsell performance, our focused execution, getting the deals in the quarter that we had to work with. And then in addition to that, you definitely helped as well because you're seeing a continued momentum in the new business bookings where we're able to take some market share, get the new logos in. It's another double-digit growth. And so looking to Q4, we don't expect that to continue. We do expect a lighter new business quarter. And then on the upsell, we don't anticipate a similar rate of success on the upsell based on the deals that we see today.

Okay. That's helpful. And then I believe in an answer to the question earlier, you said Q4 current calculated billings in the 7 to 9 range that you're guiding on to revenue. Just to be clear, was that for CCB for Q4 or for trailing 12-month CCB in Q4, 7% to 9%?

Yes, Q4 CCB.

And our next question comes from Matt Hedberg with RBC. Your line is open.

Sumedh, a lot of positivity from this quarter. The channel contributions really stuck to me and new product momentum. I guess I'm curious, based on what you've seen now and maybe, through the first month of Q4. Can you comment on the durability of these trends? They seem to have an idiosyncratic nature versus maybe more macro-driven, but I was kind of curious on if you could provide a bit more color on maybe the durability of some of these trends that you're seeing.

I think if you look at the conversations that we are having, our user conference that we had in Mumbai as well as in San Diego, the strategic advisory board, we just did this one exercise where we gave mock money to the CISOs to put on different products and the momentum, like the interest that we saw with AI, et cetera. I think there's a real desire and a real focus on we need to move in this direction. We can't continue to just buy more tools and get more alerts and just randomly ask IT and dev teams to start to fix everything. So, aligning with this sort of business outcome and figuring out how do you get that one view of the different risk factors while keeping your tools and not having to go into the conversation having to replace. I think the momentum around looking to replace or get more total cloud and AI opportunities seems to us is very real, I think, but it is the reality of the macro is still there where there is extra scrutiny on the deals where deal cycles are longer. So, I think we're encouraged with the conversations, the momentum, the level of interest. I think all of that has been quite positive. Now, how does that translate quarter over quarter in the short term? I think it's something that is a combination of our execution, which you are happy with how we did in Q3 and then focusing on some of the pipeline build that we need to have, et cetera. I think what I look at is given these different capabilities are quite differentiated. I mean, if you look at raw ETM, if you look at eliminate, if you look at the patching piece, if you look at AI security that we have, these are quite differentiated from what the competition has. So, I think in the longer term, I see that as the focus on cybersecurity is going to be stable and people continue to come back to what are the areas of focus I have. I look forward essentially for these things to make a bigger impact in the next two, three years rather than trying to find just the next couple of quarters. So, I think the interest in all of that is real. I think how the deals close, I think some of that is going to be lumpy as we have seen in the last three quarters.

Well, that's super helpful. And maybe this kind of partially answers my next question, but for Joo Mi, just maybe a point of clarification. I know you said even just to the answer to the last question that your guidance assumes lighter new business trends for 4Q. I just wanted to put a finer point on that. Is that a trend that you're seeing or is it just sort of layers of conservatism as you go into what typically is a pretty strong end of year quarter for you guys?

It's definitely not a trend that we're seeing today. I think that we've seen the trend where the new business bookings have been performing very well year-to-date for us. What I'm commenting on is based on the deals that we're looking at in the outlook, kind of the pipeline per se. We are seeing a lighter pipe than we would like to see for Q4. So, because of that, I'm pointing to the fact that look, we've had this consecutive quarter of double-digit new bookings close, which was great. I don't necessarily see that continuing Q4, not to say that it won't continue out to 2025. I'm just giving a little bit of color for Q4.

Just to add to that, as you know, the pipeline in Q4 is informed by efforts that were made a couple quarters ago. So, the changes in marketing that we have made are important for us to understand where we came from and really look forward to the changes that we have made to bring that pipeline back home. I think the momentum over the last few quarters has been quite encouraging and has been a trend essentially. I think Q4 is calling out what we see just for Q4 at this point.

And our next question comes from Trevor Walsh with Citizens. Your line is open.

Sumedh, I know you had a lot of questions already around risk. So, I wanted to just maybe back out from a super high-level view. You had a good slide in the deck around just all the different tools out there that are quantifying risk in some way and totally understand or get kind of where you guys are coming from being kind of the consolidator of all those different views. Can you just maybe tell us from the customer view of the conversations you've had, what's maybe the one or two things that you think customers are going to lean on or like look to Qualys to kind of be that consolidator around risk as you roll out enterprise risk management?

Yes, excellent question. I think there are some smaller companies that are doing some form of quantification. But if they're focusing on the quantification from a dollar value perspective, they're not necessarily doing the finding consolidation of pulling data from multiple tools. And then if there are some tools that are doing some of that primary, they're pulling a lot of the data from Qualys and they're not doing a really good job of quantification. And neither tool is doing a good job of any remediation at all. So, at the end of the day, you spend millions of dollars building all these nice dashboards and staring at them doesn't mean anything if you don't actually get remediation done. And so, the level of interest from a lot of our customers is very high with the EPM and the ROC story, because first of all, those who are Qualys customers already that information or what asset inventory, which is a foundational element of any ROC, is already in Qualys. The findings, a large part of the findings are already in Qualys. And now they can just take their time to start to plug in additional sources with the partnerships that we announced with some of these key vendors that they are using. And so, being able to have that inventory, being able to consolidate on a scalable platform. So, we have a proven scalable platform where we can bring millions and millions of findings and actually provide that visibility with the scoring, which is another capability that a lot of customers use. But then ultimately, being able to create reporting that is relevant to the board and the remediation part are really the differentiators. You could have some folks who are consolidating some stuff and giving some risk numbers, but ultimately, they don't really help you actually get things fixed and provide you a report that you can take to the board for the most part. So, the fact that we're able to actually bring these different pieces and tools that are out there instead of having multiple silos, bringing all of that in one workflow. And it's a lot easier from what the feedback that our CISOs gave us is they say, when I'm going for a conversation about cybersecurity in a budget, it's a lot easier for me to talk to the board to say that we are putting in place a risk operation center, which is going to operationalize our risk across multiple tools, rather than go and ask for money for the next big trend that has come out. And whether it's zero trust or this or that, I can't explain that if I'm going to go and do something around zero trust as an example, what is the outcome that the company or the business is going to get. But with this, I can report something that says my $500 million business unit have a possibility for $10 million loss per day. And my score that is collected from multiple different vendors in a single score is giving an indication that there is a high possibility that you're going to lose that $10 million a day. And when I take that to my CFO to say, look, our score is high, the possibility of losing $10 million a day is much higher, then it's a much better conversation to have to say, like, can we spend $650,000 to put these four controls in place, which will then bring the risk down to 30%, which is an acceptable level. And you can prove that that risk actually came down. And that conversation is a lot easier for them rather than going and asking for more money to deploy the next big thing in security without actually being able to explain how, what they're going to get in return for that, other than just saying, oh, we're going to make things safer. And so that's where the initial enthusiasm is very high that the time to value is very fast because a lot of the data is already in Qualys. I think for the business side, I'm excited because our sellers and our partners, when they go to prospects who maybe have other competing solutions, they don't have to walk away or get into a protracted battle for replacement. They can say, okay, give me the data of your four different security tools. I can show you value in the next one hour of how all of that can come together and give you a TruRisk score. We're also looking at existing customers adopting more modules because these modules are already integrated into the TruRisk scoring rather than having to go with other solutions, which then they again have to pull feeds and feed into something. So there's a lot of positive things that we see with the ETM ROC from not only for the customers, but for our business as well. And so our focus for the next few quarters really going to be on executing across different fronts. But as you can see, we have really taken a holistic approach on not only the product marketing of it, but also forming the mROC as well as the cyber insurance as the other end of the risk transfer market as well. So that's really what customers like. It's not just a one score here. It's really a comprehensive look at how they can provide this visibility to their board and management.

Great. Thanks so much for the perspective. One quick follow-up for you, Joo Mi, if I can. Appreciate the color around some of the sales and marketing investments made in the quarter and kind of the effect on operating expenses there. I think that's been a theme for a few quarters now around just the overall investments, whether it's channel or otherwise. Can you just maybe give us a sense of how you're thinking about tracking the ROI from these investments, maybe like a few levels deeper than the metrics that we're seeing, whether it's revenue or billings and just how you kind of are seeing whether or not these different choices that you're making are kind of paying off. Thanks.

Yes. The way that we measure ROI, I mean, one of the kind of the standard metrics is obviously from a direct sales force perspective, the sales productivity, how much bookings we're able to generate for each brand's sales headcount. And the way that we've been tracking on that metric is we haven't seen that significant of an increase overall just because you have puts and takes. We have pre-sales business, the sales who are working on the new business bookings, has been doing really well this year, as indicated by the fact that we've been growing new bookings in double digits. Now, on the post-sales side, if you take a look at the renewal as an upsell, we haven't done as well in that area for this year. And so what we're trying to do is really taking a look at the sales overall to make sure that the structure is set up properly for us to really accelerate growth next year. And as we go through the 2025 planning, we will be taking a look at that in addition to all the initiatives that we've kind of tried out this year when it comes to the channel partners. We've been trying to invest in channel, whether it's from like setting up MSSP portal, making sure that they're incentivized from the deal rights perspective or sharing rebates with partners. We're taking a look at the different campaigns to see which ones work and then which ones we should continue into 2025 and how that will impact our profitability.

And our next question comes from Shrenik Kothari with Baird. Your line is open.

Congrats on the really great quarter, Sumedh. I had asked about the federal last quarter and the first public sector summit at the time and sounded quite enthusiastic about it. You highlighted some great wins in Q3. Just if we can help like quantify or any color in terms of the potential uplift relative to your expectations or seasonality. And you mentioned that the pipeline is still looking pretty robust from a federal standpoint in terms of the momentum beyond just the 3Q budget year. You can talk about like specific products and go-to-market strategies there specifically in relation to deepening federal relationships and federal agencies and how to expand into new departments there. And then I'll have a quick follow-up.

Federal is an area of focus for us the last what a year or so in a big way. Of course, we have always focused on getting our FedRAMP medium certification for a few years and that's definitely helped to get our name out there. But focused team building where we hired Bill Hawkins really to build up our federal sales practice, work with our partners. The first conference that we did from a marketing perspective to get quality from the name out there and the work that our team is doing with these agencies. And we highlighted one net new seven-figure deal and upsell for the seven figures in this quarter are really good sort of indicators of what the interest level is in consolidating multiple different tools. And that's the good news is even the federal space focused on complexity and cost is driving people to drop four or five different solutions in favor of one single Qualys platform. And typically these are bigger names that we are replacing as well. So we see the momentum. I think as you know, federal business is Q3 budgets and it's a little bit lumpy that way. But overall, we're seeing positive momentum as we get into the next few years. I think it takes time to build out that federal practice where it's a significant amount. And so we are looking forward to continuing that investment into next year on the federal side and then seeing the outcome of that. But we're pleased with what we're seeing right now.

Very helpful. Just a quick follow-up for Joo Mi. You touched on and mentioned the billing schedule, if I heard it right. If we can kind of delve a bit more into it all kind of change in terms of scheduling compared to what you perhaps said last quarter in terms of billing growth expected to mirror revenue growth for like mid-single digits in the second half. I'm just trying to understand if there are any factors which might be missing contributing to the upsides in relative to the revenues.

Yes. The current billings, it tends to fluctuate and there's definitely lumpiness in current billings when you're trying to use it as a proxy for booking performance or business trajectory. And so that's what I was commenting on. There was nothing really that was significant to highlight. There were some deals that were pushed out and then pulled forward. So nothing abnormal or significant. But last quarter, as an example, current billings happened to be lower than the bookings performance. And then this quarter, it's the reverse. Current billings growth happened to be higher than the bookings growth performance. So you see that fluctuations and that lumpiness. So I would say that if you're really trying to use that as a proxy for bookings, using it on an LTM basis is probably more accurate.

And our next question comes from Yun Kim with Loop Capital. Your line is open.

First, congrats on a solid execution. Sumedh, good to see continued solid bookings around new products. If you can give us some insights into the go-to-market around these new products, for instance, do you think the sales process for these new products is that primarily driven by renewal process? And also, what kind of traction are you seeing with new customers for these new products?

Yes. I mean, as we talked about it, right, if you look at batch management, cybersecurity asset management, 24% of LTM net new bookings is basically coming from these products. And so this is really thanks to the execution in sales enablement, sales training that Dino and team have been really focusing on is the ability for our sellers to go in and not have the conversation of, oh, our scanner is a little bit better than the other scanner, really to talk about the comprehensive ROI of saying you cannot scan without an inventory, and there is no point of scanning if you don't patch things. And so Qualys is the only platform that is really providing the ability to have all of these three together. And so in this market, that is what is helping customers make the decision to say, even if they may be satisfied with the current scanner that they have from a scanning perspective, when you look at it holistically at their vulnerability management workflow, and we had the session at our QSC where we said Qualys is putting the M back in VM, is the management of vulnerability management process is important. And so as our sellers are now going in and positioning the comprehensive packaging, and a new business is giving us advantage because then when we provide that and the sellers, the customer goes back to a competing solution, they cannot offer patch management. They're not offering patch management. In fact, I talked to a CISO of a new logo that just came on board, and he said he did talk to our competition and said one of them is doing patch management. They said, well, then in that case, you should go to Qualys. And so we're seeing that these new product capabilities are differentiating as we are evolving out of just a vulnerability management scanning tool, which is something that people are not focusing as much on to just say, okay, we want to scan stuff. So new products are getting momentum. As I said, TotalCloud, we had a good quarter with TotalCloud and we're happy with that right now. So we are seeing even net new business people coming to us look at to say, well, I could buy a cloud scanning only solution, but then it doesn't scan my desktops and my laptops. So might as well go with something like Qualys, which again is providing a comprehensive solution where we're not cloud only, though we are very good at the cloud security. We also provide the ability to assess all of your other devices as well in the same context. And so enablement has been a key focus for us this quarter, and we've been really putting a lot of focus on getting our sellers to articulate the newer messaging rather than just going in and saying our scanner is better than your scanner.

Okay, great. Just want to make sure though, is the selling around these new products driven by the renewal process or is it independent of that?

Sorry, the what process?

The renewal.

Oh, renewal?

Yes. Are you selling these new products in conjunction with renewals or is it really, really independent of the renewal process?