QLYS - NASDAQ

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Second Quarter 2025 Investors Call. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead, sir.

Thank you, Michelle. Good afternoon, and welcome to Qualys' Second Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. The factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like now to turn the call over to Sumedh.

Thank you, Blair, and welcome to our second quarter earnings call. In Q2, we continued to execute well, resulting in another quarter of solid revenue growth and profitability. In this new era of cybersecurity driven by advanced data analytics, automation and AI, Qualys is pioneering a new risk operations center category in cybersecurity and redefining how organizations manage cyber risk. While traditional security operations center SOC focuses on detecting breaches after they happen, the ROC is built for prevention. Qualys' cloud-native ETM enterprise risk management solution powers this transformation. With over 18 trillion data points processed in real time, we have unleashed the power of our platform to integrate and normalize signals from both Qualys and non-Qualys tools, including CrowdStrike, SecurityScorecard, Tenable and Wiz. Unlike other continuous threat exposure management solutions that simply highlight exposure and lack effective remediation or business context, Qualys' ETM solution is a powerful orchestration layer, aggregating both Qualys and non-Qualys security findings, applying threat intelligence and delivering a unified business contextual view of risk with holistic prioritization and automated remediation. This business-aligned approach to pre-breach cyber risk management continues to resonate strongly with customers and boards and positions Qualys at the forefront of a paradigm shift in cybersecurity, one defined not just by the detection of vulnerabilities, but by measurable proactive automated risk reduction at scale. With active POCs already converting after announcing GA just a short while ago, we continue to see many parallels between this new market opportunity and the early days of our VMDR launch, including a significant greenfield opportunity and growing demand. With our latest announcement yesterday, we are very excited to introduce Qualys' latest game-changing vision for the future of cyber risk management with the launch of a fully reimagined Agentic AI platform built on a unified fiber to seamlessly manage cyber risk across a multi-vendor environment. At its core, every cyber risk AI agent represents a specialized autonomous AI fabric equipped to automate complex business processes and autonomously adapt to customers' environment by accessing diverse internal and external data sources, applications and machines. These agents achieve complete end-to-end outcomes for cybersecurity teams. Available in a first-of-a-kind Agentic AI marketplace for risk management, CISOs can now quickly augment their team with highly specialized autonomous experts that can bring down the time to remediation, increase accuracy and reduce costs. Users can use out-of-the-box cyber risk agents available in the marketplace, interactively create their own specialist agents or leverage third-party agents for our -- from our partners that can be added to the marketplace in the future. Further advancing our remediation focus beyond patching, we are also introducing new capabilities to our TruRisk Eliminate umbrella of remediation solutions. Now organizations can quickly determine trending risks to their environment, the estimated impact of a breach on a particular asset and the probability of successfully applying a patch. If applying a patch is deemed a significant operational risk to the business, security and IT teams can alternatively choose to automate an array of compensating controls to prevent an incident from occurring. Embedding Qualys' AI assistance directly into remediation workloads is a significant adoption lever, a strong competitive differentiator and opens new market opportunities well beyond patch management. Continuing this rapid pace of innovation, we are further broadening our ETM solution and bringing natively integrated Identity Security Posture Management, ISPM to market at a time when identities have become part of the new perimeter. Compromised credentials are central to nearly every major cyberattack today, and Qualys' solution is aimed at helping organizations stay in front of adversaries by continuously analyzing identity systems for misconfigurations, excessive privileges and toxic combinations with assets. By unifying the identity risk surface, we eliminate silos and help security teams visualize identity exposure and remediate risk before attackers escalate privileges or move laterally. Spanning devices, cloud workloads and applications, Qualys now provides holistic protection using Qualys and non-Qualys data sources across key identity touch points mapped to asset criticality and backed by real-time remediation through a single natively integrated platform. These innovative new approaches to cybersecurity risk management, along with several others we are showcasing at Black Hat this week, allow our customers to reduce complexity and cost, achieve better outcomes and create a multidimensional path for durable long-term growth in our business. Moving on to the business update. Over the last several months, I have personally met with many customers, prospects and partners, and the message has remained resoundingly clear. Organizations are increasingly anchoring pre-breach cyber spend to solutions that articulate and demonstrate a measurable impact on cyber risk. Rather than consolidating around a single vendor, CISOs are seeking platforms that allow flexibility across their security stack while unifying risk through a common framework. This requires a centralized risk fabric, which brings together diverse tools and enables teams to uniformly assess, prioritize and remediate risk. With a 25-year track record of converting operational challenges for customers into strong competitive advantages, we are well-positioned to capitalize on these evolving market opportunities. In Q2, this success was demonstrated by the number of customers spending $500,000 or more growing 7% from a year ago to 212. It was also evidenced by notable industry endorsements in the market we helped pioneer. Qualys' VMDR with TruRisk and TotalCloud were voted the best vulnerability and cloud security posture management solution, respectively, at the 2024 SC Awards in Europe. IDC named Qualys as a major player in CNAPP and KuppingerCole recognized Qualys as a leader in CNAPP and a market leader in attack surface management. Let me share a couple of recent wins, which illustrate these accolades and reflect why companies ready to centralize their response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environments and achieve better security outcomes. First, a global fintech company determined that managing siloed tools added complexity to their operations, lacked integration and mis detections, which hindered their ability to assess risk and centralize remediation. This customer chose Qualys to transform siloed risk signals spanning core repositories, endpoints, identity, cloud, container IT and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data. This included purchasing 7 Qualys modules, including ETM to bring -- to begin operationalizing their risk operations center with ingested data from CrowdStrike BitSight and Wiz, resulting in a 7-figure annual bookings deal. By consolidating these data sources into the Qualys platform, we are now delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack surface, centralized risk assessment, quantification, prioritization and remediation while unleashing the operational efficiencies of security stack consolidation aligned with acceptable risk parameters for the business. Another marquee win was a large federal government agency previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their IT security and DevOps teams. In addition to the complexity of using multiple point products, this government agency was frustrated with increasing costs associated with outdated on-prem deployments from last several years. Looking to migrate to a cloud-native solution that meets the CISO binding operational directives, they are now in the process of replacing 2 of their existing vendors in a high 6-figure annual booking deployment using 10 Qualys modules, including Cybersecurity Asset Management, VMDR, Patch Management and TotalCloud. Through this highly strategic and competitive win, the customer is now able to leverage unified dashboards across nearly a dozen separate bureaus that provide them a greater insight and automation that can -- that any of the competitive products that they had evaluated while taking full advantage of the speed and scale of the integrated platform. With out-of-the-box support for CDM within the CISO framework, we are now working towards a Phase 2 agency-wide rollout of the cybersecurity asset management solution, representing a significant upsell opportunity for us. Beyond this win, we are pleased to announce Qualys has recently received agency authorization for FedRAMP High. With this authorization, Qualys is the only FedRAMP High platform offering inventory vulnerability management, patch management, CSPM, container security and EDR in a single unified workflow across hybrid environments. As government agencies increasingly transition workloads from on-prem environments to the cloud, the achievement marks a significant milestone and establishes Qualys as the only modern alternative to legacy scanners for federal, state and local agencies. Our authorization consolidated platform and continued investment in public sector expansion underscore our commitment to this market and position Qualys well to drive long-term incremental growth. That momentum was on full display at our second annual public sector risk conference, Cyber Risk Conference in May, where we were especially encouraged by the strong turnout and positive feedback to the concept of a risk operations center to bring efficiency to government agencies instead of playing risk whack-a-mole with multiple siloed legacy solutions. Investing in our partner ecosystem remains a key pillar of our growth agenda. Through our strategic technical alliances program, we are driving deep technology integrations, cross-selling opportunities and demand generation programs. We believe this expanding ecosystem bolsters our capacity, harnesses transformative solution sales and brings new business to Qualys. Additionally, we have advanced our Global ROC ecosystem by certifying 3 new strategic mROC partners who wanted to partner with Qualys to bring the ROC to their customer base. With growing channel momentum and a growing pipeline of fresh new mROC services being offered to customers, we look forward to sharing some exciting new wins in the upcoming quarters. With more and more customers and partners beginning to perceive Qualys as a leading pre-breach risk mitigation management platform that consolidates and orchestrates multiple security solutions and workflows, I am pleased to announce May Mitchell as our newly appointed CMO. Pipeline creation, growing module adoption, winning new business and evangelizing the AI native ROC are key priorities. With May at the helm and her long experience in cybersecurity, we are intensifying our marketing activities and increasing focus on ramping top-of-the-funnel initiatives and enhancing brand awareness to help drive adoption of the Qualys platform to new heights. To further accelerate awareness and unleash new Qualys capabilities for customers, I'm also pleased to announce the launch of our Qualys platform pricing model, where we enable customers to purchase Qualys units, QLUs, providing access to the entire platform and flexibly utilizing Qualys modules of their choice over the course of their subscription term. Instead of purchasing Qualys modules individually, organizations now adopt the products they need today and in the future through a frictionless process designed to flexibly replace existing technologies and seamlessly switch between Qualys modules. Customers are expressing strong enthusiasm for this new pricing model, and we believe it will further enhance long-term customer loyalty, drive larger lands, reduce costs and bolster cyber resilience over time with more customers adopting more Qualys solutions faster. In summary, Qualys is well armed with fresh new capabilities and a new agency authorized FedRAMP High solution for government-wide use, strong channel momentum and flexible platform pricing to help customers unify prebreach risk management workflows, reduce cost and address today's toughest security challenges. With trusted innovation and early ROC adoption, we're strengthening our position as the partner of choice for customers ready to centralize the response to cyber risk and believe we are poised to outpace our competitors, extend our thought leadership and build upon an already strong foundation to drive durable long-term growth in the business. With that, I will turn the call over to Joo Mi to further discuss our second quarter results and outlook for the third quarter and full year 2025.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to the second quarter results. Revenues grew 10% to $164.1 million. The channel continued to increase its contribution, making up 49% of total revenues compared to 46% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew by 7%. U.S. and international revenue mix was 57% and 43%, respectively. In Q2, despite ongoing macroeconomic uncertainty, our gross retention rate and upsell execution improved with our net dollar expansion rate of 104%, up from 103% last quarter. In terms of product contribution to bookings, Patch Management and CyberSecurity Asset Management combined made up 16% of total bookings and 26% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP, made up 5% of LTM bookings. Turning to profitability. Adjusted EBITDA for the second quarter of 2025 was $73.4 million, representing a 45% margin compared to a 47% margin a year ago. Operating expenses in Q2 increased by 15% to $67.7 million, driven by investments in sales and marketing and R&D. Demonstrating our ability to innovate and invest in our long-term growth initiatives while remaining capital efficient, EPS for the second quarter of 2025 grew 11% to $1.68. Our free cash flow was $32.4 million, representing a 20% margin compared to 33% in the prior year due to fluctuations in working capital. Normalizing for this, the first half 2025 margin was 43% compared to 45% in the prior year. In Q2, we continue to invest the cash we generated from operations back into Qualys, including $1.3 million in capital expenditures and $49.2 million to repurchase 375,000 of our outstanding shares. Since commencing our share repurchase program in February 2018, we've repurchased 10 million shares and returned over $1.1 billion in cash to shareholders. As of the end of the quarter, we had $254.6 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenue. For the full year 2025, we expect revenues to be in the range of $656 million to $662 million, which represents a growth rate of 8% to 9%. This compares to prior guidance of $648 million to $657 million. For the third quarter of 2025, we expect revenues to be in the range of $164.5 million to $167.5 million, representing a growth rate of 7% to 9%. While we believe our platform approach to cyber risk management provides some insulation amidst macro volatility, this guidance assumes continued budget scrutiny and a challenging environment for new business growth in 2025. Shifting to profitability guidance. For the full year 2025, we expect an EBITDA margin in the range of low to mid-40s, applying a 15% to 17% increase in operating expenses and a free cash flow margin in the mid-30s. We expect full-year EPS to be in the range of $6.2 to $6.5, up from the prior range of $6 to $6.3. For the third quarter of 2025, we expect EPS to be in the range of $1.5 to $1.6. Our planned capital expenditures in 2025 are expected to be in the range of $7 million to $9 million and for the third quarter of 2025 in the range of $1 million to $3 million. We continue to believe organizations will increasingly adopt cloud-native full-stack security and compliance coverage to meet the demands of today's threat landscape and reduce costs. As the impact of the macro economy unfolds, we are closely monitoring the business environment and we'll continue to adjust our priorities accordingly. That said, considering the long-term growth opportunities ahead of us and our industry-leading margins implying further room for investment, we intend to continue to responsibly align our product and marketing investments to focus on high-impact initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect to prioritize increased investments in sales and marketing and engineering with a more modest increase in G&A, consistent with our commitment to balance long-term growth and profitability. With that, Sumedh and I would be happy to answer any of your questions.

[Operator Instructions] And the first question comes from Jonathan Ho with William Blair.

Congratulations on the strong results. I wanted to maybe start out with the macro environment and get a sense from you of what some of the puts and takes are out there and especially relative to your ability to raise guidance, how we should think about sort of the conservatism that's baked in?

I think at a high level, as Joo Mi mentioned, right, the environment is kind of stable right now, but it continues to be challenging. So deal of scrutiny is there. I think customers are overall just a little bit more wait and watch to see how the impact of some of the current conditions is going to be on their spend through the rest of the year. And so we're just been factoring that in right now in the way that we are thinking. We're not assuming anything is getting better from an environmental perspective. So it's more assuming that it's going to continue kind of as is.

Yes. And from our perspective in Q2, we did see a slight improvement in the net dollar expansion rate, moving up to 104%. We've been at 103% for several quarters in a row, and our low was at 102% a year ago. And so we are optimistic that we were able to make an improvement from both the gross retention as well as upsell perspective this quarter, which kind of indicates that the market and the selling environment is actually not worsening. We see an opportunity to upsell more of our newer products, have more conversations with our customers. And although the new business continues to be challenging, and we expect that to continue throughout 2025, we do see some upside when it comes to expand with our existing customers.

Excellent. And just in terms of a follow-up, can you help us understand how maybe the mROC messaging has been performing? Just given the challenges of selling sort of new platforms in the environment, what's maybe resonating the most with customers and causing them to choose to go in the mROC direction?

That's a great question. I think a lot of partners who are providing sort of SOC/MDR services is a bit of a saturated market. And for them, this threat detection after a breach has happened is what they are focused on. And so what partners are excited about is being able to go back to those partners who have a SOC -- to those customers who have a SOC and being able to position a new solution and new services, which is proactively managing your risk and helping prevent. A lot of them sort of provide some managed vulnerability service here or there, but there is no -- and then there is cloud and then there is identity. And so when you look at risk management, there is sort of no easy holistic service that a lot of them are offering. And so what mROC does is part of the managed risk operations center concept, they can go to the customers that have SOC and say, "Hey, we now have a new capability that you can upsell to, which allows you to implement a similarly operationalized risk operations center environment built on the Qualys platform, and it does not require them to switch out solutions that they are potentially using for cloud security for identity that this is something that can be built on top of that." And so they're excited about that because this allows them to create services and services revenue is very interesting for them rather than just a few points here or there on the price of the individual SKU. And so in some cases, we can potentially add $5 of service to $1 of ETM that they could sell as a representative example, right? And so that is where we are seeing these partners are excited. Of course, they have to build out new services and they have to build out new practices to be able to do that. But the excitement of being one of the few mROC partners that actually is able to offer this service is very interesting for them because that differentiates them from the other 200 players that are only offering MDR.

And our next question will come from Roger Boyd with UBS.

Joo Mi, I was wondering if you could just help us kind of bridge the gap between revenue and billings growth. I know that's not a metric you guide to, but you've previously given some directional color about the growth of those 2 numbers being in the same ballpark. Just trying to get a sense of the difference there, what you're seeing from a billings front, anything to be mindful of around deal timing given RPO bookings look, I think, pretty strong this quarter. Anything else to be mindful there, FX or anything else would be great.

Yes. So revenue is lagging. I would say that current billings on an LTM basis could be indicative of the bookings performance, which is more of a leading indicator. So I understand the focus on the current billings. At the beginning of the year, what I had kind of given an indication for for current billings at around like 6% to 8%, in line with the revenue growth guidance, 6% to 8% at the beginning of the year. For current billings, I would say that still remains true, probably the best indicator or guidance I can give at this time. Now on the revenue side, you could see that we've outperformed, booking 10% growth rate for Q1 and Q2, guiding to 7% to 9% for Q3. And so what that implies is current billings going up from 7% to 8%, 7% in Q1. Q2 looks like we closed it at 8%. But in the second half, because of the tougher comparison relative to the second half of last year, we are anticipating it to kind of come down to land around 6% to 8% for the full year for current billings.

Got it. That's helpful. And then just as a follow-up, Sumedh, nice to see FedRAMP High. Just any insight into kind of your expectations for the federal vertical in 3Q? My gut assumption is that it's probably difficult to think that can be super impactful in the next quarter, but would love to get kind of your view on the opportunity there.

Yes, for sure, right? I think expecting any federal movement happening within a few weeks of us getting the FedRAMP High would be a little bit too much expectation. But I think -- so see, for us, this has been a long-term focus and investment that we have been making. And as anybody who goes for FedRAMP by FedRAMP High will tell you this is a significant investment to really get there. And so we're super excited to now have that FedRAMP High platform that does vulnerability management, patch management and cloud security. And so that really is going to open us up opportunities. Obviously, right now, you kind of have a mixed bag with some folks kind of waiting to see how things progress with the cost reduction. Others are seeing this as an opportunity to change out their incumbent vendors to new solutions. And so FedRAMP High coming at this time bodes well in my mind for opportunities that will get created over the next few quarters because now we could go and we could basically showcase that we are the modern solution that is FedRAMP High. And so as they are looking for efficiency and moving out of legacy on-prem solutions, their options are a non-FedRAMP High solution in the cloud or a FedRAMP High solution with Qualys. And so I think that is an advantage, in my opinion, for us, and we look forward to leveraging that. I'm also looking forward to a lot of other commercial companies that actually are FedRAMP High or looking to get FedRAMP High need a FedRAMP High solution, and you have a lot of big companies who are looking for that. And so that puts us in an interesting opportunity, again, where it's not just the government agencies themselves, but we can also see potential pipeline buildup from commercial entities that are currently in the process of trying to go FedRAMP High or FedRAMP High and want to switch to a solution that is also FedRAMP High because there currently is no other solution that can do like FedRAMP High patch management as an example, right? So I don't really expect anything immediately in this quarter. But I think with the momentum that we're seeing, our investment in the federal side, the conference that we did and now getting FedRAMP High, I think this is a key for us, as I mentioned in the last few quarters as well that federal over the next couple of years can be an important area of growth for us.

And our next question will come from Kingsley Crane with Canaccord.

Echo, congrats on a really strong quarter. Nice to hear about Qualys Flex pricing. I think this has been something you've been considering for a while. I want to hear more about what kind of impacts we could expect as a result, like perhaps larger commitments. And I just want to clarify if any of the large deals in the quarter were Flex pricing.

So it's early days right now, but the feedback that we have gotten has been very positive, right? So we want to get this out that we want to get some of these deals closed. But overall, today, if a customer buys VMDR, then they are interested in trying patch management, like that's a whole process that they have to go through to buy their additional SKU win. And so as we move into this QLU pricing, essentially, if they buy any number of QLU pricing, it gives them access to all Qualys modules, right? They have access to it. Of course, if they want to use it, they have to buy additional units to be able to leverage those. And so for somebody who's maybe focusing on vulnerability management, they want to try patch management, they can just do that now with the Flex pricing without really having to go and get a whole new SKU purchased, et cetera. So that is where it's exciting for them is that they can look at the utilization, they can try new capabilities. And then as they like those capabilities that they can actually buy more units to be able to use those capabilities at scale. And that's really where we see the opportunity. And so we are looking forward to seeing the kind of uplift that we can get because that can get a customer interested in buying fewer additional units so that they can leverage broader platform capabilities, right, as they do the purchase. So that's the hypothesis and the way we are seeing the early conversations with customers, but we still need to get a few of those deals closed and then we'll give updates as we see the progress happening. But it is definitely something that we see as a key aspect over the next year or 2 for us to push forward so that we can create upsells. And also for net new customers as we're seeing net new customers also coming in, buying multiple modules upfront. As you can see, CyberSecurity Asset Management and Patch Management already 26% of bookings for net new customers, like that will give them the opportunity to leverage newer capabilities and more capabilities, which then allows them to potentially buy more units as they roll that out.

Great. Yes. I mean the model -- it's great for customers and it's good for you. And so for Joo Mi, so you just brought on May Mitchell, and we're talking about investing in more key marketing initiatives. Of course, we've had some pretty significant earnings upticks over the past 2 quarters on the guide. So I mean, should we expect that some of these are really going to be more of a focus in fiscal '26?

I would say that we're ready to get started because we've kind of built the momentum, because if you take a look at our sales and marketing for the first half of this year, it's grown by 15% year-over-year nicely. And then even on the R&D front, we grew by 8% in Q1. We ramped that up to 15% because R&D also included product management. And so the entire GTM team has been working very closely together to make sure that we work on the value proposition, how we're positioning our product to not just our sales reps, but more importantly, a partner-first approach. So we are really working with the entire team, including the engineers, to make sure that are we working on the right product enhancements. Are we messaging it correctly and then really focus on the partner marketing front? And so we do anticipate the increase in sales and marketing investments up from the 15% level that we saw in Q2 and then same thing on the R&D side.

And the next question will come from Rudy Kessinger with D.A. Davidson.

Joo Mi, the revenue outperformance historically has been pretty minimal on your quarters. Last 4 quarters now, you've beaten on revenue by about 2%. Is there any more color you can add to that? Just what's been driving that relative to your guidance? Have you guys just adopted a more conservative guidance framework in general? Is it because of the macro conservatism or any professional services revenue potentially driving that upside?

Yes. It's not professional services, but it definitely had to do with the fact that when we first guided to revenue at the beginning of the year, there was a good amount of uncertainty in the business with respect to macro as well as if you're taking a look at our current billings, kind of the trajectory of historical performance and with our revenue coming down, we wanted to make sure that, look, if I'm looking at a potential range of outcomes, for the business, given that we are pivoting significantly into ETM, a new platform play, introducing new products and the difficulty that we've had with expanding the spend with our existing customers, we were looking at a more conservative scenario, and it could have gone that way. But thankfully, as you see by our performance, we've done really well in the first half. I think the team has worked really hard to make sure that we're making up for kind of all the underperformance, if you will, like that we saw at the end of last year. With our CMO in place and we're continuing to look for our new CRO, we are hoping that we will continue to make good progress on this going forward through the end of 2025. And hopefully, we'll be able to make some meaningful improvements in 2026.

Okay. That's helpful. And then on current calculated billings, TTM current calculated billings, it sounds like you guys are still expecting 6% to 8% for the year. What would be the drivers of upside to that figure? And irrespective of where it lands, should we still look at TTM billings as the go-forward indicator of next 12 months revenue growth as we exit this year and go into '26?

Yes. I think that would be the best proxy at this point if you're thinking about 2026 revenue. But on current billings, I would say that the higher probability of us outperforming with our existing customers given our newer products, like, for example, our net dollar expansion rate did increase to 104%, up from 103%. If you were to call out 2 areas where it could -- the additional growth could come from new land versus existing customers, I would say the latter.

The next question comes from Trevor Walsh with Citizens.

Sumedh, maybe to start with you, great to see the product development that you're working on as far as AI agents in the marketplace and kind of all the ways in which that can, I guess, boost the platform. There's been a lot of activity in that space, I guess, AI security, just generally kind of M&A-wise this week, given Black Hat and others. Just curious kind of what your overall take is on that space, given some of that -- those announcements and just as a product person yourself, how you feel about building versus buying there? And if this is somehow different in the space - the pace at which some of these tools are kind of moving and growing that, that might get you off the fence to do something around the same lines or if it's more thinking you can do it kind of organically internally?

Yes. Thank you for that question. I was like with 4 questions in and nobody asked about AI. I'm so excited about it. But it's super exciting, right? If you get a chance to really go through that. I think the way we have positioned and created these capabilities is really bridging that gap between like the Agentic AI being some piece of core somewhere versus sort of having a marketplace where you feel like you're actually able to hire a Tuesday expert who knows absolutely end-to-end how to coordinate scans, how to coordinate assessment, how to coordinate prioritization, how to coordinate reputation and gets all of that thing done all in one, and they have a name, they have a persona, you can rate them. And so that's been super exciting for us. And we have been really able to get that. We've been working on it for a few months. But one of the things that's happening in AI in general is the advancement of technology is happening at a rapid pace, right? And not to get too much into the depth of it, but if you look at like RAG came out a year or so ago and now what we are leveraging is in big ways MCP protocol, right, like the model context protocol. And MCP allows customers to much more rapidly take their existing solutions and use them with overall AI agents because they add a layer of context on top of their existing APIs and existing databases and existing data stores, right? And so that allows us to do this much, much quicker than what we have. And so I think AI security is following the same that as AI concepts and AI protocols are evolving so fast. People are also trying to figure out, well, what does that mean, right? If you were looking at RAG Security, where you are bringing all of your data into one single vector database maybe a few months ago, suddenly, you have MCP, which is sort of bringing a new layer. Now bringing that new layer of MCP doesn't mean that your existing data store and all of that does not have to have the traditional security. It still needs to have the security that you need to. And so what our team is doing is really rapidly tracking sort of these enhancements and new capabilities that are coming out in AI and responding accordingly. And that's why we came up with TotalAI a few months ago when people were running LLMs in their own environment. And now we're seeing LLMs being run at least the foundational LLMs, being leveraged by from BedRock as a Service. And so we're pivoting quickly to provide capabilities around MCP protocol, MCP discovery and MCP mapping as well as MCP authentication and authorization capabilities. So I think there's always opportunities for us to look at players that are upcoming, but it's just so dynamic right now that we also want to wait and watch as we develop our own solutions to see which direction is going to be the stable direction for some of these AI capabilities to go.

That makes total sense. Maybe a quick follow-up for you, Joo Mi, just more of a clarification. So now that you have the FedRAMP High in place, I know that some of the investments in the past around sales and marketing were to build out the public sector team. So do you feel like those investments now are just kind of waiting to deliver on the ROI of those? Or will there still be as part of that increased spend you noted going forward, kind of public sector pieces or elements to that?

There are definitely pieces just because we are making sure that all the investments that we need to achieve that ramp high have already been made. But with that said, there's maintenance and there's also GTM efforts, right, marketing efforts to make sure that we just opened up the D.C. office to make sure that our customers know that we have a presence in D.C. And so we'll be working very closely with our marketing team to make sure that we have all the opportunities out there. I think that from a meaningful bookings perspective, it won't happen until next year. But we've been ready. I think it's just about execution at this point.

And the next question comes from Patrick Colville with Scotiabank.

This is Joe Vandrick on for Patrick Colville. Sumedh, that global fintech win you highlighted is a great example of consolidation on the platform. So how often are your conversations turning into multiproduct platform deals versus customers just buying a module to solve the specific pain point?

The way the space is evolving is very interesting, right? There are opportunities for consolidation with -- in certain areas with the vendor, and you see that happening with CNAPP, where in the past, it used to be multiple cloud and security solutions are kind of going under one umbrella. But we also see that customers are not necessarily looking to have every single capability from the same vendor. So there are areas and vendors that they trust for certain use cases, and they want to stick with those vendors. And so what we see when we are talking to customers is a combination of in areas where they are like, hey, look, I want to consolidate vulnerability and patching and some of those cloud things with you. But for identity, I still want to continue to use Okta and for ADR, I'm still using CrowdStrike and I want to use SecurityScorecard for third-party management. And so that's kind of where -- and that deal that I highlighted was great because we saw a bunch of modules they took from Qualys, but then they also took the ETM module, which allowed them to bring third-party data from their existing solutions to consolidate into a single fabric to get a single view of their risk. And so that's what we are excited about is like while it's early days, if the customer wants to consolidate certain capabilities, we have a bunch of those modules. And in the cases where they don't necessarily want to consolidate right now, we don't have to walk away. We still have an ETM solution that they can purchase to take the data from the existing modules and actually provide better value of their investment in some of these third parties. And in one of the conferences in D.C., I showcased this sort of a funnel view where we took 65 million findings across Wiz, CrowdStrike, Qualys, SecurityScorecard. And after we applied the Risk Operations Center paradigm, threat detection and business context, it went from 65 million overall findings to 2 million that actually mattered. And then after we applied the business context, it went down to 300,000 that actually were adding business risk to the customer. And that kind of an outcome from a risk operations center really was exciting for them so they could get the value without having to do a vendor replacement and going through that process, they could combine Qualys modules with third-party data and get real meaningful outcome and value for their Board.

That's helpful. And then maybe one for Joo Mi. You guys mentioned an improvement in gross retention and net retention. So I'm wondering if you attribute that mostly to the macro environment? Or is that driven by improved execution or maybe a little bit of both?

I would say it's hard to parse it, but it's probably a little bit of both because if you're talking about our net dollar expansion increasing this quarter relative to last quarter, it's a cohort of customers that were up for renewal in this quarter. And from the discussions that we were having, it's not just that we start today. We typically start discussions like throughout the entire year, like definitely at least a quarter before the intended renewal date. And what we've seen is I think that there's less of a macro headwind today than we saw definitely at the beginning of the year. So with our continued execution, continue having multiple discussions of our new products and the value prop and how we're evolving as a company and how our product suite that it makes sense for them, especially with what's upcoming with the new pricing model, it's really resonating with our existing customers.

And our next question will come from Joshua Tilton with Wolfe Research.

Two for me. The first one is, Sumedh, unless I misheard you, I think you spoke to some channel initiatives that you expect to drive some large deals in the second half. Is there anything you can elaborate on those large deals? Is it new customers? Is it existing customers expanding? And more importantly, are these deals baked into your revenue outlook in your 6% to 8% billings growth expectation for the full year? And then again, I have a follow-up.

Yes. No specific deals. What I talked about strategically is the risk operations center concept is resonating well with the CISOs of the partners' customers. And they are working with us to get the mROC certifications and then mROC services deployed in our catalog and for them to be able to sell those. And what we are seeing is the conversations are driving their customers to look at the consolidation of certain areas as well as purchasing Qualys licenses on top of their existing solutions as well. And so we are looking forward to working with them for new business deals and taking some of our existing direct customers as we work with them to see if they have the right contacts that we can upsell to additional capabilities, but nothing specific at this point that we are talking about or baking in anything additional as part of that. This is more of a long-term initiative, and we are looking forward for our partners to start to help us build that pipeline, which obviously is going to take some time and closing that pipeline will take some more time.

Super helpful. And then maybe my second one, just more of a clarification, just a follow-up to Kingsley's question. New CMO, lots of exciting product announcements. It sounds like you guys are going to invest behind this to drive some additional growth. Are the investments that you plan to execute, are they fully baked into the second half? Or is this -- should we start to see these investments ramping next year?

Right now, we are starting the 2026 budget and planning cycle, but what we're planning to execute to is what we had planned at the beginning of this year. So it's fully baked into the guidance. And the way we're seeing kind of the traction and the increase in investments quarter-over-quarter is we saw some nice improvement with respect to investments in product management as well as the sales and marketing. We do see more room for us to take advantage of the current opportunities ahead with the newer employees in seed. And so we plan to continue to invest, and hence, we were guiding to the 15% to 17% increase in OpEx growth.

And the next question comes from Shrenik Kothari with Baird.

Congrats on the great results. Sumedh, you mentioned, of course, identity becomes the leading vector and the new periphery and now with the formal introduction of ISPM, which potentially seems like it can be an anchor for broader

Look, a lot of value that we add is our deep understanding in how attacks work and how vulnerabilities and escalation of privileges are tied to identities. And so for a while, we have focused on hosts and assets and servers and containers. And the second part of that is the posture view of the identity and how that creates a combination that can add additional risk, right? So a particular asset with a particular vulnerability, it also has an identity that has certain issues, now the risk is compounded as an example, right? And so the main differentiator that we bring is not necessarily that we are going to be the identity service provider or anything like that. But pulling in the identity posture view into the risk operations center, tying that identity view with the risk that we see coming from the infrastructure, the risk that we see coming from third party integrations and the risk that we see coming from any of the other sources like misconfigurations, cloud, et cetera, how do we bring a more holistic view of that identity and as it ties to the assets themselves and as it ties to the customers' vendors and how does that create a compound risk is really our main focus. And so it's not necessarily for that we are going to look to replace some of the providers that they might have for identity. It is more how do we integrate with the provider that they have for identities and then provide them a better view of the risk, which is not siloed only for identity, but it's actually a combined view of the identity and the asset together with the context of the threat actors who are utilizing that. That's really the focus.

Super helpful. And a quick follow-up for Joo Mi. So net dollar retention ticked up. Just looking out and looking forward, I know Joo Mi had talked about a potential sort of floor around 103%. Just how much headroom do you see just looking at -- I know it's backward looking, but at the pipeline trend conversions for the NDR and just from the ROC adoption, from the pricing model shift, just deeper sort of multi-model attaches with the platform model here. Just curious how you're thinking about going forward.

I do see an upside there because if you take a look at our low, it was at 102% a year ago, and we were hoping that would be the trough. And since then, we've been kind of holding steady at 103%. We did increase to 104%. Now if you're looking at our historical net dollar expansion rate in the most recent year, the highest we've seen was at 111% a few years back. And so given the ROC, given the Flex pricing, given newer products that we've just launched, I do anticipate that to continue to tick up. Not consistently, though, I'm not calling that. I think that for this year, I'm just assuming that no meaningful improvement in the net dollar expansion rate in the current guide. But with that said, that is something that we will be taking a look at very closely for next year's guidance.

The next question will come from Mike Cikos with Needham.

I just wanted to cycle back to the improved commentary we're hearing today on upsell activity. Is there a way for you guys to parse out? I know if I go back to Q1, towards the end of the quarter, we saw customers look to delay or weaker upsell activity than what was initially expected. How many of those customers came back to the table? Did all of them come back in during this June quarter? And was there a catch-up, so to speak, when we think about the results we have here today?

No, it doesn't quite work like that for us. Typically, what happens is there's a cohort of customers that are up for renewal because the majority of our deals are 1-year renewal. So if you think about the customers that were up for renewal in Q1, what we would -- what talking to them about is the renewal set of products and a dollar amount and then plus the upsell side. Like let's say, you were spending $100,000 with us and you had 10% increase in budget, how would you like to allocate that? Would you like to purchase more of the existing products, let's say, VMDR? Would you like to try out newer products that you hadn't had before for patch management as an example? So we will be having those discussions with those cohorts of customers up for renewal in that quarter. And typically, we would follow up with them, but it's not a meaningful percentage of customers who come back the quarter after to say, all of a sudden, they have increase in budget and they'd like to do a second upsell. So what you're seeing for Q2 is really this cohort of customers that are up for renewal in Q2.

Okay. And that improved 2Q upsell activity then was in any way a reflection of the macro? Or what did you guys do from an internal process standpoint to drive that behavior, whether it was from partners or direct?

Majority of our discussions currently are focused on partners. I would say that it applies still more to new land with existing customers. It's working very closely with partners as well as our existing GTM team to make sure that we're having the right conversations with the right set of customers. I think that it's not necessarily due to one versus another. I think the macro from our perspective definitely hasn't worsened. I think there weren't any surprises in the quarter when you're looking at external factors. We are getting better in terms of making sure that how we're communicating with our existing customers, how they should be thinking about Qualys products and adopting new products as well as utilizing their existing subscription, we've been getting better at it. And so I think all of it kind of contributed to the slight uptick in the net dollar expansion rate.

And our next question will come from Brian Essex with JPMorgan.

Yes, 2 for me. I guess, one, Sumedh, I think you alluded to maybe making some progress on the Chief Revenue Officer front. It's great to see the addition of May to the team. Just wondering what your timeline might be around that and how that might impact some of the go-to-market initiatives you might have?

Yes, soon as I find the perfect one. I think my focus was few months to really make sure we get the marketing team in shape because I think for us, it's really the messaging around risk operations center is key for us to grow in the future. As I said, we have a pretty good team under that from a sales perspective, that's been working well as you're seeing, improving our performance, and we look forward to -- as we continue to talk and interview people. I think I don't have a timeline right now. we're honestly just looking to find the right fit for us as we move more of a partner-led approach. So we need a CRO that's going to be focusing more on partners rather than building a direct sales force, et cetera. And I think from that perspective, it's not that necessarily we're holding back too much on the -- like we are continuing to invest in the business. And of course, whenever we have a new CRO we will work through and figure out kind of what the strategy change, if anything is needed, where that falls and then any investment changes, we will follow according to that.

Got it. Super helpful. And maybe a quick housekeeping question for Joo Mi. FX really moving around a lot this quarter. Just wondering what the impact was, I guess, both on the revenue side and then on the cost side of the business as you see it and what we should expect -- should we see the same, I guess, devaluation of the dollar towards the back half of the year?

Yes. For us, on both fronts, whether you're looking at the top line or the expense line, it wasn't material for us just because we do hedge both. And so what we'll do is we are monitoring it. When it becomes meaningful, we will call it out.

And the next question will come from Rob Owens with Piper Sandler.

This is Aidan on for Rob Owens. I think you touched on this a bit earlier, but can you speak to how channel and customer education efforts with the newer products and partners have tracked relative to expectations? And what are some of the hurdles that may still exist there with newer solutions and AI advancements?

No, I think the response has been great. One of the key strategy changes we made from getting this information out to the customer perspective is last year, we hired Rich Seiersen as the Chief Risk Technology Officer. He's author of the book, How To Measure Anything In Cybersecurity Risk. And that has led to a lot of CISO workshops around Board risk reporting, and this has really been very helpful for us for top-of-the-funnel activities. We're getting a lot of direct CISO conversations, and they are hearing about the conversation of the risk operations center. We're doing these workshops along with partners in many countries, where the partner will bring their customers and Rich will go and talk. And so I think those are all positive indicators, again, that the concept of a ROC is new, and they may not have budgeted for it. And so typically, once they come, they like the idea, they want to talk to the Board. We work with them, then that goes into a demo that goes into a POC and then that helps them sort of figure out, okay, I had budgeted for this year, how can I work on getting a budget that then I can get done, purchase the following year. So that's sort of where we're at in the journey. Super excited about the engagement we're seeing at the top and happy with the conversions we're seeing right now as well. And we have good things in the hopper. And so now it's about how do we get those closed. So I think getting this out to the right people is something I think we're doing well. I think now it's about how do we scale that and how do we get more people to close those deals.