QLYS - NASDAQ

Good day, and thank you for standing by. Welcome to the Qualys Third Quarter 2025 Investor Call. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Thank you, Briana, and good afternoon, and welcome to Qualys' Third Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thanks, Blair, and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using Agentic AI-powered proactive risk management with business quantification and automated remediation. Against this backdrop, we continue to execute well in Q3 demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I've had the privilege of meeting with hundreds of CISOs, CIOs and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best-of-breed where it makes sense. They want to seamlessly unify their security tool set into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate and ultimately remediate the organization's risk posture. The Risk Operations Center, ROC, powered by Qualys ETM delivers on this ask. At our recently concluded ROCon, Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and Board track, our customers validated this approach. With the broadening of the agenda for ROCon the attendance was up 20% over last year's QSC event. While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first Agentic AI Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business. Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and correlates intelligence from both Qualys and non-Qualys sources and equips AI and humans to collaborate in real-time detecting and responding to threats at machine speed. This isn't about more alerts. It's about actions that close blind spots before attackers can exploit them. Unlike traditional continuous threat exposure management CTEM tools that simply highlight the exposure, but lack adequate native remediation capabilities. Our differentiated ETM solution combines CRQ, CTEM and native remediation operations to fix the risk that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that Boards and customers value. Early adoption is already validating the model with POCs continuing to convert the commercial deployments, underscoring both the scale of this opportunity and its parallels to the early days of VMDR. And we're not stopping there. Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven module native capabilities into ETM, empowering organizations to harness them seamlessly across the entire attack surface. By demonstrating -- by democratizing trillions of security exposures from both Qualys and third-party tools, including vulnerabilities, misconfigurations and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys TruRisk framework, our TruLens threat management capabilities and a mission-ready Agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration. This unique combination of capabilities identifies trending threats in real time, benchmarks threats against peers, assesses organizational impact and quantifies risks in clear, actionable terms that matter most to the business. As a result, security and IT teams can continuously prioritize ticket and remediate threats based on organization risks associated with emerging exposure, targeting specific industries, asset types and identity. We believe these most recent additions to our ETM solutions further advance our differentiation in the market, enhance security operations and significantly accelerate measurable outcomes for customers. Next up for our ETM solution, I'm particularly excited about yet another pioneering capability from Qualys, TruConfirm. TruConfirm flexes the power of our platform to confirm exploitability before customers become compromised. Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step, which is automated remediation with TruRisk Eliminate. Our industry-leading capabilities are increasingly being recognized by our customers, partners and third-party analysts. Specifically at Black Hat, Qualys won Two Pwnie Awards for our outstanding contribution to threat research underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOm recognized Qualys as the leader in Patch Management, a market Qualys pioneered with over 140 million patches deployed in the last year alone. While some competitors are only beginning to validate this strategy, Qualys has advanced well beyond patching. TruRisk Eliminate closes the unpatchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage and opens new market opportunities for Qualys. Moving on to our business update. With customers spending $500,000 or more with us growing 5% from a year ago to 211, let me share a couple of recent wins, which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environments and fortify their security operations. In Q3, one of my favorite wins was with a Global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations, were buried under fragmented telemetry manual spreadsheets and disconnected tools. With little automation, their teams were spending more time documenting than reducing risk and consequently were burdened by an onslaught of compliance audits. This customer chose Qualys to transform siloed risk signals, spanning code repositories, endpoints, identity, cloud container and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data. This included replacing their existing vulnerability management vendor and purchasing 3 additional Qualys modules, including ETM to begin operationalizing the risk operations center with ingested third-party data resulting in a mid-6-figure annual bookings upsell. By consolidating these data sources into the Qualys platform, we are delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization and remediation while unleashing the operational efficiencies of security stack consolidation aligned with acceptable -- within acceptable risk parameters for the business. With our innovative technology, unmatched platform effect and focus on reducing risk and friction, this will underscore Qualys' ability to eclipse legacy siloed solutions and advance our leadership in the industry. It's also an outstanding example of how we are working with our managed risk operation, mROC partners of choice to activate the ROC with new win business. For the next phase, this customer is evaluating our TotalCloud native CNAPP solution and TruRisk Eliminate solutions while also bringing additional third-party tools into Qualys platform, representing a significant upsell opportunity. Further leveraging our mROC partner ecosystem to drive new logos was a new 6-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TruRisk Eliminate. Nearly 9 months after announcing GA with our ETM solution and over 28 POCs converting to commercial success already, we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100% now that ETM will include Cybersecurity Asset Management as well as other ETM feature enhancements such as those mentioned earlier and third-party data ingestion. Given this, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management LTM bookings to ETM customer penetration as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years. Turning to our federal business. We achieved a high 6-figure upsell with an existing large government agency. This customer had previously used multiple legacy and next-gen tools to manage a variety of risk management use cases across their security, IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the efficiencies of operating siloed systems and elongated remediation efforts. With a distinct need to shift several monolithic workloads to micro application across its hybrid environment on a FedRAMP high solution, this customer accelerated the consolidation of its security stack over 17 Qualys modules, including VMDR, Cybersecurity Asset Management, TotalAppSec, TotalCloud, TruRisk Eliminate and TotalAI. Today, this customer is leveraging a unified dashboard that provides them with a greater insight and automation than any of the competitive products they evaluated while taking full advantage of the speed and scale of cloud-native platform. This, alongside a significant 7-figure state win are a testament to the strength we see in our federal state and local government business and the long-term growth potential of the market. Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3, partner-led deal registration increased, demonstrating the success of our partner-first sales motion. In addition, we have now certified nearly a dozen partners who are actively launching mROC services, leveraging ETM to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance, and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their mROC partner of choice. Further contributing to our platform growth is our flexible platform pricing model, which we are calling Q-Flex. We beta tested Q-Flex in Q3 to help customers accelerate and maximize the adoption of the Qualys Enterprise TruRisk platform. In less than a quarter after introducing this model, we're seeing notable customer interest and tremendous success. To give you an example, an existing Global 10 customer made a multiyear commitment under our Q-Flex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This win reflects our growing capabilities in risk management, and we expect the contribution from Q-Flex to continue to grow. In summary, our continuous innovation, early ROC deployment, strategic wins with federal customer -- and state agencies, momentum in partner-led initiatives and the initial adoption of Q-Flex collectively underscore Qualys' strength in unifying risk management workflows, reducing operational complexity for customers and addressing today's toughest security challenges. We believe these achievements not only validate our ongoing investments, but also position Qualys as a trusted leader in pre-breach risk -- cyber risk management, setting the stage for durable growth and long-term success. With that, I will turn the call over to Joo Mi to further discuss our third quarter results and outlook for the fourth quarter and full year 2025.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise. Turning to third quarter results. Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 7%. U.S. and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remain challenging with our net dollar expansion rate of 104%, unchanged from last quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago. Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives. With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date, free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase 366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2025, we expect revenues to be in the range of $665.8 million to $667.8 million. which represents a growth rate of 10%. This compares to prior guidance of $656 million to $662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million to $174 million, representing a growth rate of 8% to 9%. While we believe our platform approach to cyber risk management provides some insulation in macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance. We expect full year 2025 EBITDA margin in the mid- to high 40s, net free cash flow margin in the low 40s. We expect full year EPS to be in the range of $6.93 to $7, up from a prior range of $6.2 to $6.5. For the fourth quarter of 2025, we expect EPS to be in the range of $1.73 to $1.8. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 million to $7 million and for the fourth quarter of 2025 in the range of $1.2 million to $2.7 million. With that, Sumedh, and I will be happy to answer any other questions.

[Operator Instructions] Our first question comes from Roger Boyd of UBS.

Awesome. Congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier. I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch? And just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward.

Yes, that's a great question. So from the way the pricing we're looking at it is the ETM pricing is going to include Cybersecurity Asset Management because as we talk to our customers, for building any Risk Operations Center, the foundation is asset inventory and without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the Agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody has been asked about how they're optimizing their spend even in cyber. And the ability to have very focused threat intel that will allow them to validate exploits, so that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory to be able to confirm that the exploit can work in their environment. Then they purchase TruRisk Eliminate, which includes patch as an example and mitigation so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus 1 day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don't have a patch available. So the pricing, to answer your question is 100% -- up to 100% is what we see with the addition of VMDR ability to bring in CSAM, Agentic AI, as well as ability to confirm exploitation. And then from there, the upsell will be they will -- they can upsell to eliminate so that they -- it allows them to do more in terms of actually getting an outcome.

Our next question is from Patrick Colville of Scotiabank.

I guess I want to ask 2 parts. One is on the Fed. I know the Fed is like a more nascent notion for Qualys, but what are you guys seeing in the Fed's, especially kind of in the first couple of weeks of 4Q given the shutdown. And then -- and the other question I'd like to ask is about the competitive environment. And the reason I ask this one is the one we get most from investors. And it's like is the competitive environment changing for Qualys, given noise from vendors like CrowdStrike and others who are claiming to be entering the space and winning share. So are you coming up against different companies now versus a year ago? And results speak for themselves, win rates seem high, but can you talk to that as well?

Yes, that's a 2-part question. So let me stay focused to answer both of them. So first one is on the federal side, as you already know, we are at our very, very early innings, and we made the investment and the commitment to get FedRAMP high, which has really created very, very powerful conversations. I mean I have the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the dose, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things, and that's where the Risk Operations Center as a way to eliminate, fixing things that don't really matter to the risk has really resonated well with our federal customers. Today, it's not just the spend of the tool. It is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable. So for us, what we are seeing is -- it's a very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait-and-watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operations Center. So it's a mixed bag. But overall, from what we see right now is we don't have as much exposure revenue to that part. We do see that this is an area that we have committed to invest over the next few years and FedRAMP was our first step. And now with our focus on the conference we did in D.C., and we are going to continue to invest in the federal space moving forward. On the vulnerability management and competition side, I think if you -- I was really excited to see that Qualys got the leader position in GigaOm's Patch Management above many of the other vendors that have been out there. Because really with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving, less about detecting more and more CVEs. Most people are barely fixing 5% of the CVEs that are being discovered because it's creating so much noise. So while there are other players that talk about discovering more CVEs, the focus for Qualys and what we are doing with the Risk Operations Center has been about how we are helping customers really narrow down and we did that at our conference, ROCon Conference, where we show a nice little representation of how 62 million findings after applying the right agent in threat intelligence went down to 2 million findings that really mattered in terms of any risk. And then further after applying business context went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from threat intel perspective, but then also how can we help them immediately fix it, because of attackers are attacking things in 4 hours, you don't have time to go and create Jira tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that. And so what we're doing now, what we're seeing is really an evolution of that is customers really like our capabilities, accuracy of detection, et cetera, but we have also opened up the platform now with ROC to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs. So that we can help customers actually narrow down that focus of what really matters and the key exciting thing is for them to be able to get things fixed with Qualys, which is something that -- and validating the exploit and then getting it fixed with Qualys is what is focus for most of our customers right now. So primarily, we see Tenable, Rapid7. Yes, occasionally, we see some of the other tools that are talking about giving more CVEs. But customers are focusing more on how do we get the key things remediated quicker rather than discovering more which they are not fixing anyway.

Our next question is from Mike Cikos of Needham.

I just wanted to double check and congrats on the quarter here. Was there any onetime benefits to revenue or CCP that we need to take into account on our side? And then secondly, as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at [ 104 ] what needs to happen for that net dollar retention to actually start picking up from where we are today?

Yes. With respect to CCP, nothing specific to call out, it was a solid quarter. As usual, you do get some benefit or negative impacts from out-of-cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from [ 104 ] and upward, and this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, and we think that, that could be a meaningful impact during the dollar expansion rate.

Our next question is from Kingsley Crane of Canaccord Genuity.

Congrats on a really great quarter. If we think about Agentic AI within the risk operations center, TotalAI within VM and then the CNAPP suite, they all require significant development resources to how are you prioritizing R&D spend across those initiatives? And just what metrics do you use to evaluate resource allocation?

Yes, that's a great question. And I think it's really the focus for us on investment in R&D and sales and marketing right? And at the beginning of the year we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, et cetera, to be able to deliver on all the capabilities that we're talking about. And I think as we have -- I'm pretty happy with our focused execution with the level of investments that we have made and the way Shawn, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales and marketing perspective to focus on working with Shawn and team. So that we can get efficiencies from what we are seeing cross-functional between our sales team, our product management team, et cetera. And then on the R&D side, we have had really good success with leveraging AI internally within our own development efforts. And as an example, we pretty much stopped hiring anybody in QA anymore. We are seeing 20% to 25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit of using AI. And so in a way, with all the things that we are doing with adding AI into the Risk Operations Center, AI is benefiting us in adding those without a significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI. And of course, we're going to invest back in our business. But no need really at this point for us to look at having CRO and the team is executing well focused with what our goals are. And then on the R&D side, again, we, of course, are -- if you see the innovations that are coming out, is a pretty rapid pace, we will, of course, continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or I would say, unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the Risk Operations Center, Agentic AI capabilities while internally also using Agentic AI across the board, not just in R&D, but also in sales and other areas as well.

And just to add to that, we are extremely focused on making sure that we have the right team structured in the focus areas from a product development standpoint. We have different teams working on, whether it be a total AI or ETM. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint, but we are making sure that we're working across it different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Our next question is from Shrenik Kothari of Baird.

Echoing my congrats to the team. Sumedh, the TruConfirm announcement definitely sounds like a step function moving from, as we said, the risk scoring to automated exploit validation and at scale. Just curious like -- do you envision this also becoming sort of a pillar like ETM as monetizing it standalone? Or do you think of it as becoming an on-ramp to move customers into broader ETM. And then just with the with the POCs converting and all the large enterprise consolidations you talked about, like how should we think about the ETM trajectory ahead? And then I have a quick follow-up for Joo Mi.

That's a great question. And look, I mean I think I would say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk, right? Just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have 3 things. You need to be able to collect data from multiple sources so you can get a broader picture of the view and your you're applying threat intelligence and you're seeing some of the traditional CTEM, which has been around for many years. Some of the CTEM solutions are just giving you, we consolidate the data and here it is. And so they are giving you a theoretical view of what might be exploitable in the environment. But with TruConfirm included as part of ETM, we are going a step further relative to the CTEM visibility-only platforms, giving them the ability to actually confirm and that's included as part of ETM. It is not an additional upsell, but that helps us differentiate from the CTEM only solutions, gives them the ability to confirm in that environment that the exploit actually works. And then the upsell from there is really and that's kind of how we look at the beachhead for converting our customers from the MDR to ETM is that, that conversion then will allow us to upsell them to the actual eliminate capability. Because again, like I said, if attackers are looking -- are starting to exploit vulnerabilities even before patches are being made available, it is really about speed. And so you need to be able to quickly detect the vulnerability, you need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be a automated AI-driven fix. So that you can get it fixed before the attackers get there. And if we -- and that's really where the Risk Operations Center is not just a CTEM solution, it really is more than a CTEM solution, which is just giving you dashboards.

Got it. Super helpful. And Joo Mi, very quickly, Sumedh mentioned about the AI driver for automated remediation and orchestration scale into model mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that.

Yes. I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partner to really make sure that they are implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective like customization that's required from the organizational standpoint. So with working hand-in-hand with the partner to help us accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that mROC, professional services or additional implementation help that customers might see will help to accelerate that revenue growth and the ETM penetration.

And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings calls where an mROC partner, brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines because they were excited about, not because of just a margin here or there, they were excited about the ability to provide high-value risk management services to their customer. If they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Our next question is from Junaid Siddiqui of Truist Securities.

Great. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

I mean, I think nothing notable to call out for. I think on the -- there's good and bad, right, at times for us to be able to show the value of the platform by ingesting data from tools that they already have. Can be a win instead of saying, you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings and then the pricing kind of allows them to think about maybe eliminating their existing solution over a period of time. And so I think today, I think so far, we are in the early days, but we're seeing, especially with the ROCon Conference that we had and the partner advisory -- I mean -- sorry, the product advisory board where we had a lot of the top banks out there. I think the feedback is a lot of excitement around the Risk Operations Center as a focus area rather than just kind of trying to do a like-to-like scanner to scanner replacement and the time and effort it takes. This is something that they feel like it's something that they can justify in terms of moving quickly now, of course, it is something that is new. Everybody is looking at it this year. So it is allowing them to figure out how they're going to budget. Some people have the budget now, some people are looking at it to budget for next year's purchases. And so -- but overall, the conversation has been pretty positive. And I think the goal for us is to not only existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in Qualys. And so we are seeing that with some of the early adopter customers. They started with bringing Qualys VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM. So that's kind of how we're looking at it as we progress is that it's going to help us be much quicker in POCs and we don't have to walk away if a customer already has a competing VM scanner. We can actually just ingest the data, show them the value -- show them the business value and then grow from there rather than doing prolonged POCs that involve deployment of agents and scanners, which ultimately they see the value in that, but it is sometimes -- just takes a longer cycle. So I think net-net, I think will -- it's early days. We'll see how it develops. But so far in the initial engagements we have had, it's been pretty exciting and fairly quick moving.

Our next question is from Joshua Tilton of Wolfe Research.

Congrats on a great quarter. I've been bouncing around a few calls, so I'm actually going to ask a pretty high-level question. And my question is, we have the privilege of covering 3 publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rate a function of things changing within the VM market and therefore, some of you are growing faster, taking share, growing slower within VM, or the delta in the growth rates because some of you have taken these broader platform plays and you have these non-VM products better separating the growth between these 3 players? And if it's the latter, I guess, can you just help us understand which of the product -- the non-VM products for you are really driving the separation and growth that we're seeing at Qualys versus some of the other players?

I would just say that some of us have just have an awesome organic platform. That's why we are growing at a different pace. But having said that, look, I think, we've talked about this for a few years, VM has been changing and people are less focused on just scanning and more focused on prioritization remediation, and that's why we pivoted towards, if you recall, Patch Management a few years ago and we got GigaOM giving us that #1 spot in their analysis for Qualys, which was a great achievement for us just within 4 years, getting to #1 of our established players. We're also pivoting more with ETM towards the ability to not just -- not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence, and we talked about that. And then the ability for us to actually confirm the vulnerabilities exploitable by exploiting it and then getting it fixed. And so what we are seeing, and we have been reporting on how Eliminate and Patch Management has been growing as a percentage of our LTM bookings. And then we've also talked about now that our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on the penetration for ETM in our customer base, which is elevating from VMDR to ability to give them a broader Risk Operations Center and then the upsell from that is going to be the Eliminate capabilities to get things fixed. And so I -- with the engagement that we have with our customers, there is a big focus from customers on business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now in the organically developed platform that we have that integrates so many different things together, I think, is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don't really work with each other. And they're not able to get that kind of -- in my belief, they're not able to get the kind of response that we are able to give very quickly whenever there is something going on, and that's the feedback that we have been getting from customers.

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize, but any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Yes. I think that Q4 because it was a very strong quarter, a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe if you think about it from the like 2025 full year current billings growth at around 8%.

Our next question is from Jonathan Ho of William Blair.

This is Garrett Burkam on for Jonathan. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing installed base? And then also, can you just talk about how customer conversations are going with your mROC solution at this point? Just what traction you're getting there?

Sorry, I didn't get the first part of the question again. So you're asking for contribution from...

Yes, like new modules and new customers versus upselling your existing base in your existing modules?

Yes. Look, I think every customer is a different part of the journey. So we don't really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud native CNAPP solution. We're happy to see the progress it is making in early days, but it was 5% of the bookings for the quarter. And then you also have -- we called out Patch Management and Cybersecurity Asset Management, which has been the focus for us the last couple of years, and we're happy with the penetration there. But we're also now pivoting more towards the Risk Operations Center, ETM solution that we talked about and our goal is going to be just like we did from VM to VMDR a few years ago, really up level our customers from VMDR to ETM solutions. So which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which by the way, will include Cybersecurity Asset Management already. And then next step above that, we'll be upselling them to Eliminate solution to actually get things fixed. And so conversations have been super positive around Risk Operations Center, as I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores, and that was underscored at our ROCon Conference in Houston where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and Board members and insurance companies. And actually, because of that, we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. So the conversations with customers are on Risk Operations Center, ETM solution from Qualys has been that they really like that we're not just a CTEM solution, giving them dashboards. We're actually natively fixing issues for them rapidly as well as we're giving them AI-based intelligence around the business and for their particular industry, what is the risk of ransomware? How much money could they lose, why should they fix this particular vulnerability versus not fix another vulnerability. So it's been very positive feedback, and we're excited about that. And so I think, as we get into the next year, we are really putting a focus on ETM and as part of that we have made some internal promotions to align well with our go-to-market strategy there with product management and Jonathan, our CISO, also really working on helping us as a GM for our risk operations solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM. And that's what we see in the Q1 earnings call, we'll be starting to focus on the opportunity ahead of us. In addition, of course. One of the reasons is like there's a lot of CNAPP solutions out there. We see the resonation -- what is resonating with customers with our CNAPP solution. There's not so much individual features, but it is, again, the ability to bring the cloud risk as part of the holistic business risk. And so yes, other CNAPP solutions can tell you how many open buckets that you have after the public. But if you ask them, what does that mean, how in dollar value lost to your company, if one of them is compromised. There don't have answers to that. And so our cloud security solution is actually integrated from a risk perspective to give that business quantification, and that's what the feedback that we're getting from customers. And so as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers. It's going to be continued investment for long term in the federal market. Focus on the continued innovation that we have with Eliminate capabilities. And then all of that is going to be underpinned by our work that we are doing with mROC partners which I think is going to contribute even more to scale our business in 2026.

Our next question is from Joseph Gallo of Jefferies.

This is [ Anec Bevin ] on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

I think I'll answer the first part is we're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, that the Risk Operations Center where exposure management is part of that in business quantification. With the feedback and response that we're getting from customers. This is definitely an area that they are focusing on in all the conversations that we had with this year. I think a lot of customers see the Risk Operations Center and the Security Operations Center, ROC and SOC kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on better prevention in the first place that can reduce the number of alerts and reduce the fatigue that they see in the SOC and people are looking to balance in the early conversations, while I don't have an exact percentage right now. we will see how it evolves in next year. People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network, and there's -- a lot of that has happened in the past. And it's ultimately you cannot do away with one or the other. You need both, so that you can proactively reduce risk while having the monitoring needed, if there is a compromise to block that. But there is definitely a focus on customers to prioritize the split between those because again, if they don't prioritize what they are fixing accurately, then they're asking and wasting their IT teams resources and fixing things that don't actually matter while at the end, getting more alerts in their SOC. So from that perspective, we are seeing conversations around the Risk Operations Center and exposure management is one part of that. We are definitely trending where customers are liking this ability to think about how much they spend into proactive risk management in terms of business risk and how much risk they would have, which is what I talked about in my keynote as well as ROCon is moving from a attack surface management to risk surface management. You can spend a lot in covering your attack surface, but the risk of loss was only $50,000 and you spent $500,000 to your attack surface. That's not a great business equation. So that's what we are hearing and we're seeing from our customers in terms of billings, Joo Mi?

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Our next question is from Rudy Kessinger of D.A. Davidson.

Just a clarification on that last question, Joo Mi. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year? Or can you just clarify that, please?

Yes. So right now, I mean, billing has the tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4 given the tough compare to 1 year ago. In terms of next year, it's a little bit too early to tell in terms of 2026, what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Got it. Okay. And then you guys had some pretty decent results in the last few quarters now. Growth has been stable at 10% the last 4 quarters, I believe, on revenue. You've got NRR stable at 104%. What -- I guess, what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver a stable 10% plus growth over the next couple of years?

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to -- VMDR customer base to ETM is an area of focus, creating upsell with Eliminate on that. We continue to see very -- a lot of interest for our cloud security solution. And I think with a long-term federal opportunity that we are focusing on, we have really good conversations with Risk Operations Center on the federal side as well. I think those are the areas that we continue for sort of short-term, medium-term and long-term growth, which is again underpinned by our focus on mROC partnerships. But we're really laser-focused next year on our VMDR to ETM conversion and the upsells will Eliminate.

Our next question is from Yun Kim of Loop Capital Markets.

Congrats on a solid quarter. Sumedh, on the Enterprise TruRisk Management, ETM, is that primarily a big deal sales motion? Or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time. Just want to get a better understanding of that 100% plus uplift commentary.

Yes, I think we feel and with the early response from customers, we feel like we can hold up to, of course, 100% of the VMDR because we're adding them -- we are providing them AI capabilities, Agentic AI capabilities, marketplace built in, where they can essentially bring on an AI agent as part of their team for 4 weeks as they're focusing on an audit or for 3 weeks as they are triaging the ransomware related vulnerabilities. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers, primarily it is VMDR, CSAM plus all the new capabilities that I highlighted, or what is focused on that now. We also talked about Q-Flex and I think a lot of this is going to go hand-in-hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so the Q-Flex is what sort of you talked about is from an ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year and we are going to see a combination of the Q-Flex pricing with ETM cross-sells are the focus for us as we get into next year.

Okay. Great. Looking forward to ETM adoption next year, given that it sounds like it's going to have big impact. Just -- Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously, you're very proud of your organically growing platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically, are you tempted at all given how dynamic the market is evolving?

Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from -- we want to give our customer an organic experience with the platform. Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently, with the way we are executing, focusing -- and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys, as an example, right? Like now with ISPM identity solution, as an example, that we have as part of ETM, we can pull an identity from Okta and AD and others, and we don't necessarily have the customer to us -- to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. And so these dynamics keep changing, and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our road map from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or a larger acquisition, we're definitely continuing to be open to that.