QLYS - NASDAQ

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Fourth Quarter 2025 Investor Call. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.

Thank you, Michelle, and good afternoon, and welcome to Qualys' Fourth Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, President and CEO; and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial and operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thank you, Blair, and welcome to our fourth quarter earnings call. As threat actors continue to compress time-to-exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification, automated remediation to respond to the speed of these threats. Against that backdrop, we continued to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability. In my conversations with hundreds of CIOs and CISOs as well as security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CISOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric, one that serves as a credible alternative to single-vendor platforms by bringing diverse risk vectors into a prioritized, measurable view of risk that their teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded ROCon conference in Mumbai, with attendance up over 30% from last year's event as we again broadened the agenda to include a business track. And with the element of AI, which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is only intensifying. As a result, we believe that the future of pre-breach risk management belongs to vendor-agnostic agentic AI-powered solutions that continuously predict, assess, confirm, quantify, prioritize and remediate risks across on-prem and multi-cloud environments. Over the past year, we continued to execute relentlessly towards this vision, delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently and stay ahead of an increasingly dynamic landscape. Accordingly, in 2025, we broadly expanded the Qualys ETM platform to third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings, applies our industry-leading threat intelligence and delivers a business-contextual quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an agentic AI risk fabric that assesses and normalizes diverse internal and external data sources, applications and machines. We expanded -- we extended these capabilities with the first-of-a-kind agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy and reduce costs. To further close security gaps, we again organically enhanced ETM with a natively integrated Identity Security Posture Management solution at a time when identities have become part of the new AI perimeter. And further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional Continuous Threat Exposure Management solutions rely on a theoretical risk score and ignore mitigating security controls, ETM takes a fundamentally different approach. On a single platform, it uniquely detects vulnerabilities, validates exploitability, applies remediation and revalidates exploit using Agent Val, agentic AI workflow. The net result is that Qualys is redefining how organizations manage pre-breach risk management. While competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, Qualys has moved decisively beyond that model. We are pioneering the first agentic AI-native Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the ROC represents a fundamental diversion from traditional CTEM tools. Competitors can point to exposures. They can't quantify cyber risk in dollar terms that matters most to the business, and they cannot adequately fix them. ETM fills that gap. This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, exploit confirmation, risk quantification and remediation operations into a single AI-powered workflow, leveraging both Qualys and non-Qualys data sources. In doing so, our architecture orchestrates and implements a perception-reasoning-action loop, enabling autonomous agents to collect real-time telemetry, reason through risk signals, plan response workflows and execute actions. This enables organizations to holistically predict emerging risks across infrastructure, cloud, application security, IoT and identities, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls and verify the effectiveness of the remediated tactic. This end-to-end vendor-neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, where customers aren't just seeing their risk holistically across the risk stack. They're validating it, quantifying it and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption through our VMDR customer base, and positioning Qualys for larger upsell opportunities over time. Moving to our business update. With customers spending $50,000 or more with us growing 4% from a year ago to 215, let me now share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify the security stack, quantify and remediate risk in their environment and fortify their security operations. First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively. Consequently, this customer selected Qualys and launched a strategic initiative to unify their security stack by transforming siloed risk signals spanning on-prem and multi-cloud environment into a cohesive, agentic AI-native risk management solution. This included expanding the ETM deployment to further operationalize the ROC with ingested third-party data from several sources, resulting in a mid-6-figure annual bookings upsell. By consolidating these data services into the Qualys platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface, centralized risk assessment, quantification, prioritization and remediation workflows while unleashing the operational efficiency of the stack consolidation. This expansion of their ROC underscores the power of our platform and reinforces Qualys' ability to unify siloed risk signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance, and advance our leadership in the industry. Leveraging our mROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETM POC with a global 200 company in Latin America, we secured a 7-figure annual bookings upsell, which included our TotalCloud CNAPP and Policy Audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful, multi-solution growth. Turning to our Federal business. We achieved a mid-6-figure expansion with one of the federal government's most visible shared security services utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues that limited resources to continuously assess risk across augmented tools and manual workflows, this customer chose Qualys for its cloud-native FedRAMP High Authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard outputs and low operational overhead. Given the success of this deployment, we are now working towards a multi-agency ETM rollout representing a significant upsell opportunity as this shared services team prepares to operationalize its Risk Operation Center. These results alongside another 6-figure upsell with a separate large federal agency, reinforce our proven ability to align technical capabilities with operational outcomes that address modern security challenges and underscore the long-term growth opportunity in our Federal business. Beyond these wins, we are also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increased again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified mROC partners actively launching new services, momentum continues to build towards a global ROC alliance, fueling our capability, harnessing transformative solution sales and bringing new business to Qualys. Further contributing to our growth profile, in Q4, we continued beta testing QFlex to help customers accelerate and maximize adoption of the Qualys ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFlex to enable select customers and partners to accelerate their adoption of Qualys solutions in 2026. In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by unifying CTEM with exploit confirmation, risk quantification and automated remediation powered by an agentic AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution and initial QFlex success. Looking ahead to 2026, we'll continue our disruptive innovation, further advance our go-to-market investments and execute our ROC vision with a balanced approach to long-term growth and profitability. With that, I will turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47%, even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. And free cash flow reached $304.4 million or 45% of revenues, all of which exceeded our expectations for the year. Turning to fourth quarter results. Revenues grew 10% to $175.3 million. The channel continued to increase its contribution, making up 51% of total revenues compared to 48% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 56% and 44%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year with a low to mid-single-digit growth in security spend persisting for the foreseeable future. Reflecting this sentiment, our gross dollar retention rate remained comfortably above 90%. We saw a modest sequential decline in Q4, with our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth with all 3 of the following increasing contribution to bookings in 2025. First, Cybersecurity Asset Management, combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9%, respectively. Next, Patch Management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16%, respectively. Lastly, TotalCloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet. Turning to profitability. Adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 increased by 11% to $68.9 million, driven by investments in sales and marketing, which grew 18%. With this strong performance, EPS for the fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter, we had $160.5 million remaining in our share repurchase program. We are pleased to announce that our Board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $360.5 million. With that, let us turn to guidance, starting with revenues. For the full year 2026, we expect revenue to be in the range of $717 million to $725 million, which represents a growth rate of 7% to 8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 million to $174.5 million, representing a growth rate of 8% to 9%. This guidance assumes no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026. Shifting to profitability guidance. For the full year 2026, we expect EBITDA margin to be in the mid-40s, implying mid-teens increase in operating expenses, and free cash flow margin in the low 40s. We expect full year EPS to be in the range of $7.17 to $7.45. For the first quarter of 2026, we expect EPS to be in the range of $1.76 to $1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8 million to $12 million, and for the first quarter of 2026 in the range of $1.2 million to $2.6 million. In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

[Operator Instructions] And the first question comes from Jonathan Ho with William Blair.

Congratulations on the strong quarter. Can you talk a little bit more about some of your QFlex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

Yes. Thank you very much. And that's a great question. We've talked about this last quarter as well. I think if you have to -- if you take that in relation to what we are doing with the Risk Operations Center and ETM and how we're differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerability to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score, we're leveraging the ability to use agentic AI to confirm those exploits with the environment, which is very differentiated from what everybody does. But then after that, actually, the ability to also remediate those. And so being able to get this end-to-end very quickly, very fast before attackers are leveraging AI to do the same for your environment, the QFlex proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation, but then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed. And so what we're excited about is our conversations initially with the customers that have adopted this have been very positive in the fact that the security environment is not a static environment at the beginning of the year. It is continuously changing throughout the year. And the flexibility that, that pricing model offers them to actually be able to leverage different Qualys capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.

Got it. Got it. And then just in terms of some of your comments around AI, I mean, clearly, you're seeing a lot of customer interest here. Can you maybe help us understand like where the customer is in terms of their AI journey? And also help us understand what that opportunity looks like for Qualys. So if you start selling more of these agentic products, AI sort of native products, how do we think about how that can impact sort of net retention going forward?

Sure. I think a lot of people talk about AI is embedded in their platform. I think where we differentiate ourselves is that what we have done is introduced the concept of a AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years that there's never been enough talent in the security space. So the ability to get Agent Sara who's an expert in patches, the ability to get Agent Val who's an expert agents with skill sets that can autonomously make calculations and decisions on exploitation remediation. So the ability to say, look, I want to employ this particular agent on the platform to achieve a task, which otherwise would take me weeks and months to hire a consultant to get that outcome, what we've done with our agentic AI capabilities is not only have those built in throughout the platform, but with agentic AI, we can now actually have these agents that feel like they're really part of that team, and they can help you get those outcomes. And the way we have really positioned this is that customers who are leveraging VMDR, they get a really high-quality list of findings. But then as they cross-sell into ETM, they get the ability to not only do the prioritization of these vulnerabilities but they get the agentic AI capabilities, which then allow them to do -- achieve different tasks. And as you look at how customers are thinking of head count, et cetera, in the agentic AI world, these really help them get to those outcomes pretty quickly. And then, of course, in addition to that, with our TotalAI offering, we're also helping customers detect, find and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have. And so with that, we look forward to customers bringing more data around their own agentic -- around their own AI solutions into Qualys ETM. And we believe that the agentic AI capabilities are a differentiator for customers to upgrade from or to cross-sell from VMDR into ETM as well as looking at some of the other exposure management solutions where they just give you a score, this will allow them to actually use an agentic AI to get patching done pretty fast and pretty quickly. And so we see that, that differentiation can be the catalyst for our customers to pick ETM over some of those other exposure management solutions that are out there.

And the next question will come from Kingsley Crane with Canaccord.

Congrats on the quarter. You answered some of this in the prior response, but would just love to hear more about how Agent Val is elevating ETM from an efficacy perspective. And just how Agent Val is reducing total net hours at the customer level and how that's resonating with customers?

Thanks, Kingsley. I wish -- unfortunately, the call is only an hour, but I can talk about this forever. But look, I think we have seen the history of this evolution back when Kenna has come out with this is like everybody is giving you theoretical scores, right, based on the vulnerability findings and CVEs information that is out there. Unfortunately, a theoretical score does not actually mean that a high score does not mean that the customer may not have other controls in place that mitigate that actual exploit from working in their environment. They might have a firewall. They might have something else, memory protection that is enabled, that a typical scanner or a typical exposure management solution will not pick up. What Agent Val does is it leverages that decision-making, autonomous decision-making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the asset to confirm whether that vulnerability is actually exploitable in their environment, on their machine or it is not, not just a theoretical score. And what typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these findings only to feel like, oh, this was a false positive because, look, we already have a control in place and a lot of time is wasted in arguing back and forth. What the customers really want to be able to do is not waste their IT team's time on fixing things that actually are not exploitable in that environment. And the ability to, for sure, confirm by running an actual exploit in a safe manner that this figure is not exploitable. It means that the IT teams will be saving significant amount of time not chasing down ghost scores and will actually have a absolute confirmation that, yes, it is a very highly exploitable vulnerability, but I don't need to worry about it because I have other controls that are mitigating this, or it is highly exploitable, attackers are using it and I don't have a protection in my environment. So instead of just chasing scores, I can actually go and focus on fixing these and that's kind of making it a lot safer. So it's a significant time saving for the customer because of the agentic AI workflow. They can actually then significantly reduce the number of findings that they have. And the other thing is that, once exploit is confirmed on your environment, you don't have the time to create Jira tickets and ServiceNow tickets to help people go and manually make the remediation. As soon as you know that this is exploitable in your environment, confirm. You want to be able to use another agent to immediately kick off remediation and get it fixed. And you feel a lot more comfortable because now you have confirmed that this is exploitable, it's not theoretical. So people are going to want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run the remediation. Now you cannot show up for the AI fight today with your Jira tickets and your ServiceNow tickets. You got to be able to do automation and autonomous decision-making to get things fixed. And that's the differentiator.

Yes. It's really exciting times, and it's good to hear you're leading the way here. For Joo Mi, it's been a remarkable year for Qualys. You guided to 7% at the midpoint. Entering last year, and you put up 10% and now you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year?

Yes. 2025 was a solid year. From an execution standpoint, it was a very exciting year for us with ETM having gone live at the end of 2024. We've had significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so, in doing that and working through our partners, what we were able to do is finalize our pricing and packaging for ETM and identify our key products that are going to be levers for growth in the short term, then long-term going forward as well. So 2025, solid year, with closing the year with another 10% growth for revenue, which we're really pleased about. Now when it comes to current billings, it came in line as expectations from last quarter with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billings. So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro and in the spending environment. With that said, we do anticipate significant upside. Given what Sumedh just covered, we have very exciting product discussions with existing customers as well as prospects. I think that we've gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook. But with that said, the baseline still remains to be around 7% to 8%.

And our next question will come from Rahul Chopra with Berenberg.

I have a couple of questions. I mean I appreciate these are not your estimates, but if I look at 2023 market share data which you gave, at the time you had market -- total market as $64 billion. In the current deck, you are talking about $53 billion market for 2026. At the same time, I can see previously, you had '28 market of, I think, something around $79 billion, $78 billion. Now '29 market is $75 billion. My question here is that basically, is the core market shrinking for VM and exposure management. I appreciate these are not your estimates, but I just wanted to understand what you're thinking about the core estimates in terms of the market itself, what is it doing? One. The second question is, I wanted to understand your thoughts about the competitive landscape in more general, especially given the ServiceNow is acquiring Armis. Obviously, that's going to probably change some dynamics. So I wanted to hear your thoughts on that, please.

Sure. I think I've been in Qualys for 20-something years, and vulnerability management has definitely changed. And if you recall, we've been talking about that as the number of assets have increased, the number of CVEs and software has increased. We're seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise and vulnerability management has evolved, which we have called out many times. And that's the reason in the last few years, we've been focusing on shifting and focusing on the solutions that customers actually are looking for. So as an example, when we innovated with Patch Management, we're the first vendor to do that. And even today, we're not seeing really much traction with others. And Patch Management was, yes, not just -- vulnerability management doesn't mean you just scan and scan and scan if you cannot get it fixed. And so as that evolved, we innovated, we came up with Patch Management as a capability. We came up with Cybersecurity Asset Management that was needed for a successful VM program. Now we have expanded that capability with agentic AI with ETM because that's really what customers are looking for is how do you continue to triage that. And then adding a layer of validation is another game changer in our mind from a vulnerability management perspective. And then along the way, we've also focused on how do we bring TotalCloud, which is a CNAPP solution that we have, which we're very happy with the traction that we're seeing with that. We're coming up with agentic AI. So for us, it is about how do we continue to track the areas that customers are focusing on and then how do we maximize our share of that spend that they have. And that's what you're seeing, the provision and the innovation that we are going. And it's great to see that there is a focus and attention on the CTEM exposure management marketplace, as you mentioned, with ServiceNow buying Armis, which has been around for a long time, using passive capabilities to detect asset inventory, et cetera. But the reality, again, is that today, customers don't want just more vulnerability findings from these solutions that don't actually help you fix anything. And so, what we are looking forward to is, again, autonomous workflows leveraging agentic AI to get customers to fix things quickly, as you saw in the recent Mandiant report that the time -- mean time to remediate over the last 5 years has gone from 63 days to negative 1 day. So today, again, with solutions like that, ServiceNow, Armis and other solutions, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time exploiting your vulnerabilities. So what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business, put dollar value loss quantification numbers on it, get the validation and get the vulnerabilities fixed. And that is allowing us to differentiate, and that's where a lot of the conversations we're seeing are very positive in the focus of not just another exposure management solution, but moving towards a Risk Operations Center. And so our goal here is that, of course, security market keeps changing, et cetera. We're bringing solutions that we are looking forward to maximizing the share of the customer spend focused on the pre-breach side of the security and not necessarily the post-breach side.

And the next question is going to come from Nehal Chokshi with Northland Capital.

Nice color there on why the Armis acquisition by ServiceNow won't be impactful. It sounds like a key portion here is that basically, they're lacking Patch Management. So can you dive a little bit further here and explain why Patch Management has remained such a differentiator for Qualys here?

Yes. Thank you. I think today, if you see, right, like people are finding millions and millions of finding and the IT team does not want to be spending all their time instead of innovating going out and fixing so many vulnerabilities without the proper context. And so what we're seeing is that -- and we talked about this a couple of months ago, that Qualys agents have been able to deploy 140 million patches just in the last 12 months. And in one of the recent GigaOm reports, we were placed as the #1 Patch Management vendor by the analyst. And so the reason why we're getting so much traction is that in the past, I remember when I joined Qualys scanning once a quarter and taking 30 days to fix all your issues was considered okay. Today, when the attackers are attacking, you -- within 3, 4, 5 hours of the vulnerabilities being disclosed, you need that ability to quickly correlate how CVEs figure out that it doesn't matter to your business or that it's not exploitable in your environment and actually get it fixed. And so our success with Patch Management really has been a highly integrated solution with VM and not just a partnership where you're going out with some other separate solution and trying to bridge that gap. It's highly integrated solution that is quickly able to not only detect the vulnerability, or find whether it is actually exploitable in the environment. But then within a matter of minutes, it can actually fix and patch that particular issue. And so what we're excited about is to see the success of Patch Management in the last few couple of years, but also what we did end of last year is moved even further into providing customer more abilities to mitigate the risk of the vulnerability without patching. And I like to call it patchless patching, which is applying mitigating controls on the machine, which have given even more flexibility to our customers because sometimes you're worried about a patch breaking something, how do you balance the worry of patch breaking something with the worry of getting exploited. And many times, because of our super deep research in the patch research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine so that the actual exploit can be blocked. So at the end of the day, what is the point of all the spend you do in vulnerability scanning is to get the right things fixed before the attackers get there. So the majority of the value that comes in that overall spend is really about the patching part. If you do not patch it, you can build all kinds of dashboards and there's a dashboard tourism going on right now, but those dashboards don't mean anything if you don't actually get it fixed before the attackers get to it.

Okay. And Joo Mi, are there any headwinds leading to expectation of no change in NDER in your calendar '26 guidance -- that's embedded in calendar '26 guidance?

Yes. Our guidance is assuming no material change in net dollar expansion rate. You could see that it's always kind of gone up a quarter or down a quarter in the past couple of years. And right now, us being -- starting out the year ending 2025 at 103, we don't anticipate a material change to that rate.

But why is that? Why are you expecting no change?

Our guidance is informed by what we're seeing in the pipeline today and what we're expecting based on our existing customers, what they anticipate buying more of or how they're thinking about spending more with Qualys in 2026. Our preliminary discussions and view into the outlook today implies that assuming kind of similar in line gross dollar retention, the expectations from an upsell standpoint and then, of course, a new business, what we expect to land from a new logo perspective, this is all informing our guidance and the way we look at things.

And that's the base case. Now our goal will be to continue to improve our execution on the ETM and ROC, so the customers getting to know that. And that, to me, remains the upside in -- for the business is with federal -- now with our FedRAMP High that we got and the federal space partners, et cetera. So I think that's kind of where we are with just assuming 103 as we see it right now, but we continue to work on the upside in the business that we can potentially have.

So does that imply that your expectations -- the baseline expectations that ETM incremental penetration into installed base continues at this relatively slow pace that we're not hitting an inflection point yet?

I think it's very early. So like we said at the end of the last year where we had started with POCs, we're super encouraged with what we are seeing with the POCs and the conversion that we're having. But again, it's very early, right? We're talking about customers that are early adopters. So it's encouraging, but we're not -- we haven't had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better in the first couple of quarters, that's where we will get to understand even better. Now that's where, as Joo Mi talked about in the past, we will start to provide guidance on how ETM is going to -- how ETM is going for us, starting the Q1 earnings call for 2026. And so that will allow you to sort of track where we're starting and then how we're going to expand -- go through the next couple of years on that big opportunity that we see right now.

And our next question will come from Rudy Kessinger with D.A. Davidson.

Joo Mi, I think you said in response to Jonathan's questions earlier. I think you said baseline remains around 7% to 8%. I'm not sure if you're referring to the revenue guide for this year or if that was also your expectation for roughly what we should expect for current calculated billings for the year.

I would say that we don't give specific guidance for current billings, but our expectation is that current billings growth rate will be more or less in line with the revenue growth rate. So 7% to 8% for both for full year 2026.

Yes. Okay. Got it. And then just maybe kind of a follow-up to the past question. Certainly, it sounds like there's a lot of optimism about the early ETM interest and adoption and whatnot. But at the same time, it's still just being too early to maybe drive an improvement in the net expansion rate or the overall revenue growth rate. I guess just -- I don't know -- we've been hearing that for a few quarters now. Is -- I mean, what needs to go right, whether it's with the channel or utilizing QFlex? Is there a potential that this year we could see enough adoption that we do see expansion rate pick up or revenue accelerate? Or is that unlikely just based on the current pipeline?

Yes. I mean all of that needs to go right. I think we've done a lot of innovation. The products are coming out now, which is great. The Agent Val is going to be very interesting for us. And the recent identity solution is also very interesting. I think a key part of our strategy definitely has been working partners. And so as an example, one of the key areas of focus right now where we are certifying more mROC partners as an example. And we are getting these partners up to speed and we're getting the partners trained and helping them create their offerings around the Risk Operations Center. And the idea here really is that these partners then with those services actually can bring us net new business, can bring us upsell opportunities because they don't have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years. They can actually create a service for risk management with mROC on top of their existing VM solution, as an example, by pulling that data into Qualys and then ETM and then charging the customer for the management and the consolidation of their various risk factors, et cetera. So that's an area that we are looking forward to as that matures and as we are in the early days of getting those partners up to speed. Once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction. Again, early conversations have been great. We've got to see that in the way that these customers -- these partners are bringing us some of their business. I think QFlex has been really a positive thing for when we are taking a customer who has VMDR and then converting over to ETM. That has actually been a really positive thing for customers so that they can kind of build in sort of certain amount of growth, and they can look at the ability to take the journey of a Risk Operations Center at that pace. And then, of course, we just got our FedRAMP High end of last year. So that's allowed us to have more conversations for the 2026 budget cycle for federal that obviously were not in line in time for 2025. So those conversations after FedRAMP High for '26, '27 are also going to be quite interesting for us. as potential upside. And so I think as Joo Mi has provided sort of the guidance that we see as of now, we're excited about some of these things that can potentially create the opportunity for us to do better than that.

And our next question will come from Matthew Hedberg with RBC Capital.

This is Mike Richards on for Matt. Keeping a little high level here, Anthropic's new model release today put an emphasis on cybersecurity and specifically, the model's performance for vulnerability discovery and patching. So I was just wondering, if you could talk about what you believe these developments mean for Qualys and maybe the cybersecurity industry more broadly as model providers look to potentially go deeper into cybersecurity.

Yes. Great question. I think today's announcement was great in terms of that understanding the fact that autonomous AI building the coding process or when you look at the code of a software and pointing agentic AI to that, is definitely something that the attackers are looking to leverage, and they're leveraging as well to be able to discover vulnerabilities in the codebase. Now having the ability to discover a vulnerability in an on open-source code is one thing, which is what Anthropic is helping. But once you find that this particular code has a particular vulnerability that could be exploited, you need to go find all of the machines running that software all over the customer's environment, internally, externally. And then the ability to test that after all the controls that the customer has put in place in their environment on that machine, is that actually exploitable, each individual customer's environment, each individual customer's machine. And that's the part where I think this -- the Anthropic development actually really helps again stress the reason why after a particular vulnerability is discovered, an exploit is discovered, why it is important to use an ETM agentic AI type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously because when you're using AI to find these particular vulnerabilities and attackers are going to -- are using the same model, they are going to try to do their best to very quickly exploit those. So we -- what we feel is we are empowering our customers with ETM and with somebody like Agent Val to actually stay ahead of the gap between discovery of a vulnerability to the exploitation that we can actually leverage ETM with Agent Val to then actually find this issue in their specific environment on their specific machine and then protect them very quickly by actually being able to patch that. And so that's really the main differentiator. So I think in a way, it's great to show the power of what AI is able to provide for the attackers to find issues in open-source. And then it signifies even more the value of the ETM platform to actually find that during a run time and not just in the codebase as Anthropic is doing today.

And the next question will come from Patrick Colville with Scotiabank.

This is Joe Vandrick on for Patrick Colville. Can you help us understand -- I know you kind of touched on this, but can you help us just better understand the strategy you're taking to get customers to adopt not just vulnerability management, but also prioritization and Patch Management. And then I'm wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?

Yes, great question. I think if you kind of look at what we have been doing with Patch Management, by the way, and if you look at -- we're very happy to see the adoption of Patch Management, Cybersecurity Asset Management as the capabilities that sort of take that vanilla VMDR and add more execution around -- or execution for success around those list of CVEs, we're pretty happy and excited to see that. And so today with the ability to provide customers with things like average exposure window, the ability to provide customers the way that, that particular vulnerability actually impacts their particular environment. As an example, your typical threat exposure management solutions will give you a score, a risk score, and they will say that this particular issue has a risk -- or this particular asset has a risk score of 900 on 1,000 and another one has a 750 on 1,000, which one will you fix first? If you just go by the risk score as an example, you're going to see that maybe that risk score of 900 on 1,000 is on a machine that makes you $2 million a year, but the 750 is on one that makes you $500 million a year, immediately your prioritization switches and is exactly the opposite of what your exposure management solution give you because now you added a dollar value. And once you have that and you know that you're potentially going to have a loss of $500 million because of the exploit of this vulnerability, the next thing that customers want to be able to do is how quickly can I protect myself from making sure that I don't lose that $500 million? And that's where a integrated patching and integrated mitigation solution like Qualys is super impactful for them because now they don't waste time because once attackers are starting to exploit vulnerabilities, it is just a -- you're sitting duck with an open window and the quicker you can close that window, the better it is going to be. And our customers are really seeing that. That's why their adoption of Patch Management has been increasing, 140 million patches in the last 1 year is quite a milestone for us. And the ability to sort of give them that visibility to say that you can -- with this platform, you're not just exposing your exposure, you're actually fixing it is a great story. And our partners are also excited about the ability to not just provide service around more visibility. The ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced is a differentiator. And that's kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and Patch Management solution as well as awareness building around the Risk Operations Center is an area for focus for us. And then along the way, risks come from cloud. They come from your standard virtual machines, they come from cloud. That's where we have focused a lot. They come from identities. We have ISPM for that. They come from misconfigurations and we have Policy Audit for that. They come from AI now for which we have TotalAI as an example. So we continue to expand ways to bring more assets into ETM. At the same time, we continue to innovate on ways to absolutely get to the final outcome of actually releasing risk with automation and agentic AI as fast as we can. And that honestly is really, in my mind, a big differentiator.

That makes sense. And if I could sneak in one more. I think you mentioned that you're still in beta testing for QFlex and that you're going to leverage it for select partners. Is that just timing? Or are you not planning to go customer-wide with that pricing model?

Yes. We went beta with QFlex last year. And so we understand how it could be very additive to sell a cohort of customers. So we're rolling it out on a case-by-case basis because we want to create a win-win scenario for us, right? If for a customer, we feel like they would really benefit and increase their spend with us by giving them this flexibility, we're more than happy to work with them through -- whether it's through a partner or directly with us. For broadly speaking, we don't want to be in a situation where unintentionally, it results in a downsell for us and then also, they don't have the ability to try out other products because they're maximizing their budget and thinking through it from that perspective. So right now, it's in beta, but in the longer term, we do plan on going to GA with that and potentially with a slightly tweaked structure.

And our next question will come from Yun Kim with Loop Capital.

Sumedh, I think you touched upon some of my questions already, but how engaged are partners involved in core VM renewals? Or are they -- or a lot of them, the newer partners that you attracted last year, are they more about selling new products?

Yes. The mROC partners that we work with are pretty excited. We're starting to see these partners launch their own services for Risk Operations Center, which obviously takes some time because they have to come up with the brochures for the services, staff them with the right experts for risk quantification, et cetera. But what they are excited about is that instead of just looking at, can I get another $0.05, $0.10 of margin on $1, the ability to say that with ROC, they can actually offer higher value services. The service you can offer to a CISO is, hey, here's we're going to give you a business-oriented cyber risk visibility deck that you can take to your Board every quarter that's going to make you look very smart in front of the Board, is a significant value and they can charge multiple dollars, as an example, for those services around ETM, which they cannot necessarily do around other areas. And with the agentic capabilities built in, the partners are excited that, that actually can also reduce the spend that they have to do to staff their services teams with people if agentic AI capabilities in the platform can get them a patch Tuesday report within 24 hours versus taking 2 weeks for a consultant to manually go and create Excel sheets to do things like that. So very exciting early conversations. We're already starting to see some interesting wins, though it's early days, with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just, okay, here's another list of vulnerabilities that I can provide you. Those conversations are very positive. And so as I said, we're really focused right now on our GTM efforts, around training these partners, around partnering with them and introducing them to customers as they introduce us to prospects, et cetera. And as that progresses, I'm excited about the potential that partners can bring customers to us, even if that customer might have another VM scanning solution, they can keep their solution, and they can actually bring that customer to us and the partner can make multiple dollars on every dollar of ETM that they sell for us.

Okay. Great. That's very helpful. Joo Mi, if you can remind us how renewals are lined up for the year, either it's skewed towards second half of the year, consistent with the prior years? Or with the newer products coming in, do you see some early renewals or renewals mix kind of changing up this year?

Right now, our expectation is that the seasonality remains the same. So same thing as what you saw in 2025. It will be skewed towards the second half of 2026.

And the next question will come from Junaid Siddiqui with Truist.

Sumedh, you've talked about the Risk Operations Center's focus on proactive risk management versus the SOC's focus on detection after the breach being a major differentiator. Just wanted to ask, are you starting to see budgets flow more towards proactive security versus reactive detection and response?

Yes. Thanks, Junaid, for that question. We definitely see the conversations with our partners who said like, look, I've invested a lot over the last few years in EDR, XDR, post-breach solutions around SOC. And of course, there is some focus now on agentic AI SOC solutions that they're looking at to improve that even further. But what they feel is that, on the pre-breach side, they have invested, but they've invested in a bunch of, I call them, SPM tools, which is, I have DSPM, I have SSPM, I have CSPM, but all of them are just giving you multiple dashboards. And there is definitely a bit of a fatigue with these customers saying, these dashboards are not helping me prevent a breach. While I have put in place a protection on the post-breach side to try to find attackers, if I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools. You have these code scanners, which are kind of like false positive service sometimes because they give you so many findings. The conversations definitely are moving in that. There is positive conversation on leveraging budget that they have or asking for more budget over the next couple of years to move in that direction. And the early adoption of ETM that we are seeing is necessary -- essentially, we're going and getting budget but they are not always moving away from something they've already budgeted for. So some customers have started to put budget aside for exposure management, so to say, RBVM. But when we show them ROC, which is much bigger than exposure management and much more than RBVM, they are actually able to work with us to shift on that budget. So we definitely feel like there is more of a focus last year and into this year on, hey, we need to do a better job at proactive risk management. We've done a lot of work around the reactive side. Let's focus to get better on the proactive side.

And the next question will come from Jason

This is Joshua Tilton from Wolfe Research. Can you guys hear me?

Yes, Josh.

Awesome. Sumedh, I want to follow up on your answer when you were asked about kind of Anthropic blog post today on cybersecurity. And I just -- I want to reask the question, but I want to ask it in a much more simpler way. Is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing. And kind of some of the vulnerability discovery that happens before you would use a traditional VM tool. And again, I just play a security expert on TV. So if I'm thinking about it the wrong way, please let me know. But is that kind of the right way to think about it?

Yes. Right now, a lot of their focus is on looking at open-source code and looking -- going through the codebase to look at commit logs, et cetera, around that code to find the vulnerabilities in that particular codebase. Now that codebase is then compiled into some piece of application or software, which then is running all over the place across millions of machines in different customer environments behind different firewalls, et cetera. So generally, that's sort of where we see Qualys focus is more around once those vulnerabilities are discovered or attackers starting to use those, how do we then quickly assess those in a run time rather than a application code discovery time, which is where a lot of these AI agents are focusing on.

Makes total sense. And then maybe just a quick follow-up for Joo Mi. I think in the past, there's been several leadership changes throughout the years where there was always a plan to kind of invest to reignite growth. And I'm just curious, when we think about the EPS guidance for the full year, how do you think about the level of investment for '26 that's baked into that EPS guidance versus prior years when maybe you've had one of these kinds of new CRO in place or other leadership roles being filled?

We're really pleased to start off the year strong with all key positions filled with a strong executive team who's tenured. So keeping that in mind, last year, we had guided to low-40s EBITDA margin coming off of 2024's 47%. So the implied gap or implied margin contraction was significantly higher than what you're seeing today. We closed out the year 2025 with 47% EBITDA margin. We're guiding to mid-40s for EBITDA. So a slight contraction, but it's not as significant as what we had guided to at the beginning of 2025.