Joo Mi Kim - Qualys, Inc. Philippe Courtot - Qualys, Inc. Melissa B. Fisher - Qualys, Inc..

Bill Choi - Wunderlich Securities, Inc. Christopher Speros - Stifel, Nicolaus & Co., Inc. Craig Nankervis - First Analysis Securities Corp. Matt S. Lemenager - Robert W. Baird & Co., Inc. (Broker) Jonathan Allan Kees - Summit Redstone Partners LLC Jackson E. Ader - JPMorgan Securities LLC.

Good day, everyone, and welcome to the Qualys Third Quarter 2016 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen-only mode. Later, we will conduct a question-and-answer session and instructions for asking a question will be given at that time.

I would now like to turn the call over to Joo Mi Kim, Vice President of FP&A and Investor Relations. Please go ahead, ma'am..

statements related to our business and financial performance and expectations for future periods, including the rate of growth of our business; our expectations regarding capital expenditures, including investments in our cloud infrastructure and the intended uses and benefits of those expenditures; trends related to the diversification of our revenue base; our ability to sell additional solutions to our customer base and the strength of demand for those solutions; our plans regarding the development of our technology and its expected timing; our expectations regarding the capabilities of our platform and solutions; the anticipated needs of our customer; our strategy, the scalability of our strategy and our ability to execute our strategy and our expectations regarding our market solutions; the expansion of our platform and our delivery of new solution; the expansion of our partnerships and the related benefits of those partnerships; our ability to effectively manage our costs; our expectations for currency exchange rates; our plans to pursue arrangements with MSSPs, which are multiyear contracts at fixed prices; and finally, our expectations for the number of weighted average diluted shares outstanding and effective GAAP and non-GAAP income tax rates for the fourth quarter and full year 2016.

Our expectations and beliefs regarding these matters may not materialize and actual results in future periods are subject to risks and uncertainties that could cause actual results to differ materially from those projected.

These risks include those set forth in the press release that we issued earlier today, as well as those more fully described in our filings with the Securities and Exchange Commission, including our latest Form 10-Q and Form 10-K.

The forward-looking statements in this presentation are based on information available to us as of today, and we disclaim any obligation to update any forward-looking statement except as required by law. We also remind you that this call will include a discussion of GAAP and non-GAAP financial measures.

The non-GAAP financial measures are not intended to be considered in isolation or as a substitute for results prepared in accordance with GAAP.

A discussion of why we present non-GAAP financial measures and a reconciliation of the non-GAAP financial measures discussed in this call to the most directly comparable GAAP financial measures are included in our earnings release issued earlier today. Joining me in today's call are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Philippe?.

Thank you, Joo Mi, and welcome to everyone to our Q3 earnings call. We had a very good third quarter where our top line revenue was at the very high end of our guidance and EPS was above, again, reinforcing the value of our cloud-based security platform in the marketplace and our balanced approach between profitability and growth.

As you certainly recall, earlier in the year we pointed out our ability to become a key player in the forthcoming consolidation of traditional enterprise security and compliance solutions.

This quarter, we put more pieces in place central to this strategy, with continued product innovation and expansion of our strategic partner ecosystem and I would further elaborate on this later. First, let me address what we are seeing from a macro industry level. A few weeks ago, we hosted our 16th Annual Qualys Strategic Conference in Las Vegas.

The theme of the conference was centered around the visibility companies must achieve to effectively fend off cyber attacks, and our Qualys cloud platform approach can make this possible. At the conference, I had the opportunity to discuss with quite a few customers their long-term security needs and the state of the industry.

They all expressed their need to consolidate the stack of the many security and compliance solutions they currently have as they have become too costly to deploy and maintain, and integrating them is becoming complex and extremely expensive.

In fact, our large customers are handling in excess of 30 disparate security and compliance solutions and they simply cannot take on more. Compounding the problem is the fact that they have a hard time finding qualified people to operate that.

Such discussions clearly reinforce our belief that Qualys is now very well positioned to address these needs because of the breadth of the new solutions we are now bringing to market, solutions that are designed for scale natively integrated, centrally managed and self-updating, thus eliminating significant cost by providing best of breed functionalities.

At our conference, in fact, we showcased our growing breaking suite of new services namely the file integrity monitoring solution, the detection of indication of compromised solution and our Web Application Firewall 2.0. We are on target to deliver these additional solution by the first half of next year. Now let me share some business highlights.

Qualys has built a new distribution model that continues to set us apart from other competitors in the marketplace. We want meaningful engagements with additional global MSSPs who are now embedding the Qualys platform with our managed security services offerings.

This week, we're very pleased to announce a global strategic partner with HPE who will be integrating the Qualys platform and suite of integrated solutions to deploy to their user base.

Earlier this year, as you may recall, we also expanded our engagement with Wipro, who already saw value in our platform and is now including Qualys across all of their global offerings. Additionally, we signed an entity who is now running out Qualys as a critical part of their security offering, again on a global basis.

The channel was not only the area that scaled in the quarter, and I'm very pleased now to announce that we have received yesterday our authority to operate or ATU from the Department of Health and Human Services under our FedRAMP certification, which opens up the federal marketplace for us.

Furthermore, our product development efforts continue to move forward with additional features and functionalities to our Cloud Agent platform.

For example, we announced that the Cloud Agents are now available on the Microsoft Azure platform at a click of a mouse, allowing Azure users to have a continuous view of the security and compliance posture of their Azure environment.

We continue to see strong adoption for the Cloud Agent from our customers with now more than 1.3 million Cloud Agents being purchased in the last 12 months, as well as the pent up demand for our new ThreatPROTECT solution that allows our customers to prioritize their remediation vulnerabilities in relation to the active threat landscapes.

Additionally, we continue to make significant progress with injecting new capabilities into our industry-leading platforms, including implementation of the Cassandra open source engine, passive scanning and container security.

It is now clear that in a perimeter-less hyper-connected world, our solutions visible in a single pane of glass are critical tools that enable Qualys to be the actor of choice in this new era of enterprise security consolidation, while helping customers extend their security policies to the new cloud computing environment.

In essence, we now provide our customers with a two-second visibility across all of their global IT assets, whether on-premise, on endpoint or on elastic cloud environments. We allow them to continuously assess the security and compliance posture of those assets, and next year we will help them identify those who have been already compromised.

In addition, we eliminate significant costs out of the IT and IT security budget as we now consolidate more than ten traditional on-premise enterprise security and compliance solutions. In summary, we have never been more optimistic with regards to our future and believe that Qualys is very well positioned for 2017 and beyond.

And with that, I will turn the call over to our CFO, Melissa, to discuss our financial results in more detail.

Melissa?.

Thanks, Philippe, and good afternoon, everyone. Our strong third quarter performance reflects the continued success our cloud-based security platform is finding in the marketplace. Total revenues in the third quarter were $51 million, which represents 20% growth over the third quarter of 2015.

We also see adoption increasing with the number of enterprise customers who purchased three or more Qualys solutions rising to 23%, up from 18% a year ago and up from 21% last quarter. The percentage of total customers with two or more products, including PCI, the prior metric disclosed, was 63% in Q3 up from 61% a year ago and 63% last quarter.

In addition, our average deal size increased 22% year-over-year in Q3. The negative impact of FX on our revenues mostly offset the positive impact from the MSSP contract this quarter. Our revenue plus the change in current deferred revenue balance grew 20% year-over-year.

As I highlighted last quarter, this calculation will not always mirror our current bookings due to the timing of the actual invoicing, as well as the impact of FX. This quarter, our revenue plus the changing current deferred revenue balance continue to be negatively impacted by those factors as well as the impact from the MSSP contract.

In accordance with our prior disclosures, our vulnerability management solutions remained strong, continuing to represent 79% of third quarter revenues in line with results in the third quarter of 2015. Our last 12 months of bookings year-over-year growth rate for Policy Compliance and Web Application Scanning was 23%.

Note that this figure does not include newer solutions like our Cloud Agent use for VM, our Private Cloud Platform and ThreatPROTECT. In fact, Q3 bookings from the Cloud Agent platform grew almost 50% sequentially, and from ThreatPROTECT grew 90% sequentially.

Before moving to profit and loss items, I would like to point out that unless otherwise specified, all of the expense and profitability metrics that I will be discussing on this call are non-GAAP results. Our non-GAAP metrics exclude stock-based compensation and nonrecurring items.

A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investor section of our website.

As I discussed the last quarter, our strong margins are a testament to the scalable operational model of Qualys and are higher than other comparable security and SaaS companies. Driven by the opportunity to increase our profitable growth we have been increasing our investment in 2016.

While gross margin declined slightly to 79%, down from 80% in the third quarter last year driven by an increase in software and hardware expenses, gross profit increased by 18% year-over-year to $40.2 million in the third quarter of 2016. Operating expenses increased by 19% year-over-year to $27 million.

Research and development expense increased to $7.8 million or 25% year-over-year primarily due to higher head count. Sales and marketing expense increased to $13.4 million or 19% year-over-year primarily due to higher sales head count, higher marketing expense and costs related to our salesforce.com implementation.

G&A increased to $5.9 million, 13% year-over-year largely due to higher head count. Operating expenses were sequentially flat despite a meaningful increase in head count because over 80% of our net hires in Q3 were made in India.

The sequential increase in sales and marketing expense from customer and acquisition costs and branding expenses were offset by a sequential decrease in G&A from lower third party spend.

Due to our strong revenue growth, adjusted EBITDA for the third quarter of 2016 increased by 16% to $17.6 million compared to $15.1 million in the third quarter of 2015. Excluding the positive impact to revenues from the MSSP contract, adjusted EBITDA would've still increased over the third quarter of 2015.

Adjusted EBITDA margin in the third quarter of 2016 was 35% as compared to 36% in the third quarter of 2015. Moving on now to earnings per share. For the third quarter of 2016, GAAP EPS was $0.13 per diluted share, up from $0.11 in the third quarter of 2015.

Non-GAAP EPS was $0.22 per diluted share in the third quarter of 2016, up from $0.19 in the third quarter of 2015. Net cash from operations in the third quarter of 2016 increased by 26% to $20.2 million compared to $16.1 million in the same period in 2015.

Free cash flow generated in the third quarter of 2016 was $10.4 million compared to $11.7 million in the comparable period of 2015. The lower free cash flow was due to $4.8 million of capital expenditures incurred in Q2 that was paid out in Q3. As we discussed last quarter, we frontloaded CapEx that was scheduled to be paid later in the year.

Of the $7.4 million frontloaded, $4.8 million was paid out in Q3 with the rest scheduled to be paid out in Q4. Excluding the previously mentioned $4.8 million, capital expenditures were $5.1 million in the third quarter of 2016 compared to $4.5 million in the third quarter of 2015.

In the fourth quarter of 2016, we expect capital expenditures to be in the range of $3.5 million to $4.5 million excluding the $2.6 million remaining to be paid from the $7.4 million Q2 expenditure.

As a reminder, $5.2 million of the $7.4 million was related to the early renewal of a license arrangement as we were able to lock in an attractive rate of database software for the next several years. This was CapEx that otherwise would have been spent in 2017 and does not represent a change in our business model.

Excluding the early license renewal, our expectation for capital expenditures remains roughly the same at approximately $20 million to $21 million for fiscal year 2016. Now turning to our guidance starting with revenues. For the fourth quarter of 2016 we expect revenues to be in the range of $51.9 million to $52.9 million.

In the fourth quarter we expect a negative impact from FX to outweigh the positive impact on revenues from the MSSP contract. For the full year 2016, we are raising the bottom end of our guidance for revenues, bringing our current guidance to a range of $197.6 million to $198.6 million.

For the full year of 2016 we are raising our guidance for both GAAP and non-GAAP EPS. Our current guidance for GAAP EPS is now $0.41 to $0.42, and for non-GAAP EPS $0.79 to $0.80 for the full year 2016.

We expect the GAAP EPS for the fourth quarter of 2016 to be in the range of $0.06 to $0.08 per diluted share, while non-GAAP EPS is expected to be in a range of $0.16 to $0.18 per diluted share.

We expect our operating expenses to sequentially increase in Q4 as we are continuing to invest in our business as we scale further rollout of additional solutions to our platform because we have a highly profitable operational model.

Our fourth quarter EPS estimates are based on approximately 39.2 million weighted average diluted shares outstanding, and our full year 2016 EPS estimates are based on approximately 38.5 million shares outstanding.

For the fourth quarter and full year 2016 we have used an expected effective GAAP tax rate of 37% and 38% respectively, and an expected effective non-GAAP tax rate of 36%. Like Philippe, I was delighted to see such strong customer response by both partners and customers at our user conference.

Customers are looking for fully integrated, cost effective and scalable security and compliance solutions, which provide instant visibility across all of their global IT assets whether on premise, on endpoints, or on elastic cloud environments, and Qualys is in the best position to fill those needs.

With that, Philippe and I would be happy to answer any of your questions..

Thank you. Our first question comes from Bill Choi with Wunderlich. Your line is open..

Yes. Thank you. I guess if I had to stick to one question it would be more to trying to understand the traction you're getting currently on bookings for the new product.

You talked about ThreatPROTECT and the Agent, and yet when we look at your guidance for revenue, understanding maybe there's some FX pressures there, the sequential growth rate here looks weaker than what you normally see into Q4. It's what, 2% to 4% sequential growth.

I just wanted to get some sense of when you talk about these new products, how big are they and are they making an impact yet meaningfully to revenue? Thanks..

Well, let me answer that by addressing a couple of points, Bill. So first, Q4 is a big quarter for us.

And as in general we've been seeing increasingly larger upsells, we continue to see that in the pipeline for Q4 and so we guide appropriately based on the fact that larger upsells are a little bit less predictable for us in terms of which quarter they're ultimately going to get signed in.

We are also, as I mentioned, negatively impacted by FX in Q4 which is actually going to outweigh the positive impact from the MSSP by about – impacting our growth rate to such that it would be 0.5% lower. So those are the data points then.

But we are seeing, as you pointed out, good traction early in the new services and it's – again, it's going to take time because of our SaaS ratable revenue model for it to flow through on the revenue line..

And our next question comes from Gur Talpaz with Stifel. Your line is open..

Hi. This is actually Chris Speros on for Gur. Thanks for taking my question.

Can you talk about what the pipeline is looking like for the Cloud Agent and the mix of that pipeline in regard to new versus current customers?.

So we don't have really the mix between the new and the existing customers. What we can say is that we see a continued adoption, very strong adoption by all of our existing customers, there's no question about that. In fact, (22:15) I gave you some statistics before that.

As far as the few – I'm sorry, as far as the new is concerned, we see many more and more of the new business coming with the Agent..

Yeah..

It's very clear that the Agent becomes the differentiator. So I don't have the exact percentage to give you but it's significant..

Yeah.

So when we report the Cloud Agent statistics, we are seeing that both from existing customers as well as from new customers, to be clear, and it is going to skew more towards existing because as our renewal base grows, our opportunities for upsell continue to increase, especially with these additional solutions so our business always tends to skew towards existing as well as because of how large our customer base is already..

Thank you. And our next question comes from Craig Nankervis with First Analysis. Your line is open..

Thanks. Good afternoon. Nice quarter, folks. You've had some nice – for two quarters now, some nice growth in your average deal size, which I believe is a bookings metric. Can you talk about that? Is that – here's another existing versus new customer question.

Which is influencing that more, is it multi-product sales? Is it larger initial deals? What can you say about these last two quarters and the growth of your average deal size?.

It's actually – it's going to be driven more by existing because one thing Philippe and I have discussed that's maybe different in our business model than some other companies is this nomenclature of new versus existing, it's a bit artificial because often we'll get new customers in for – it can be a very small initial dollar volume, it can be a PCI-only customer who then we upsell for close to $1 million.

And so it would be – you would see the increase coming more from the existing customer base..

Yeah. No, absolutely. And to give you some colors, for example, we have a large financial institution which was essentially spending about $200,000 a year for Qualys, and the upsell became $1.4 million. So you can see the big advantage we have. In a way, we take our customers young, if you prefer, and then we grow them.

So our business would be always tilted toward the upsell. And especially that we have more and more and more services, so you have even that compounding effect..

Right..

And our next question comes from Steve Ashley with Baird. Your line is open..

Good afternoon. This is Matt Lemenager on for Steve. My question was around the 4Q guidance, and implying the EBIT margins would be down sequentially. And just looking at it the last few years, seasonality has kind of seen an increase in the EBIT margin 3Q to 4Q.

And I realize you came in nicely ahead of margins this quarter, so maybe some of it is expenses that pushed to 4Q.

And you talked a little bit about extra expenses or investing in R&D and things in the fourth quarter, but I was just wondering if maybe you can comment or provide color on the implied guidance for the fourth quarter around expenses and the implied EBIT margin?.

Yeah. That's right, Matt. So we do expect our expenses to sequentially increase as we – as I had highlighted, we had expected for it the Q3 and ended up coming in a little bit lower. But we are investing across all of the functions, R&D and operations, sales and marketing, and G&A and so that's what our guidance is based upon..

Our next question comes from Srini Nandury with Summit Redstone. Your line is open..

Hi, this is Jonathan Kees, I'm actually speaking for Srini. Thanks for taking my questions. I just have two, first one is a follow-up.

I guess in regards to that Q4, you talked about the OpEx going up, should we think then that GM will stay relatively flat with Q3, that most of the increase is just going to be in the OpEx line? And then the second question, the more higher level question is that you're talking about providing services as a differentiator, and earlier you mentioned that finding the right personnel with security expertise has been difficult for your clients.

Is that something that you're providing and that is going to be something that's going to move the needle for you and how you differentiate relative to your competitors?.

No. In fact, on your second question, in fact one of the unique things that Qualys does, because we have adopted that cloud model, the cloud model has allowed us to package our solutions a bit like (27:26) and all these cloud solutions.

It's like we don't need all that professional services, and that's one of the other reason of our profitability, in fact we have no professional services, zero, since the inception.

What I was referring to you about is our customers today, which have now the big advantage of Qualys today is that the same platform offers you 10 traditional security and compliant solution totally integrated so you need significantly less people to operate.

And the complexity to operate is different so solution is also reduced, as opposed to having – if you line up all these different best-of-breed enterprise on-premise security solution, you need to have one infrastructure for that application, another one for the other one, and on and on.

So you have to deploy and maintain different architecture and on the top of that, you have to maintain and operate all of these different solutions independently. And then in order to make better sense of your security and to get the overall security posture of your company, you need now to integrate those ones.

So you end up now using a different solution – another solution, where you integrate all that information, which again costs a lot of money. You need to find the people for you to be able to do that. So that's what Qualys essentially fundamentally eliminates. And now the first question, which I forgot..

I'll take over..

So okay, Melissa will go ahead with the answer..

Yeah. So I was reading about expenses broadly because we don't guide by a functional area. But as Philippe mentioned, he went into some of the details around how we're investing in the operations in the back end. So you can use that guidance for building out your model.

Where we've tried to be clear is on the onetime effects of guidance around things like the MSSP contract which as you guys are aware, we share the information about how it's impacted our top line positively.

But obviously, we won't have it for 2017 so I'm sure as you're thinking about your models going forward you'll be taking that into account as a headwind as well..

And our last question comes from Sterling Auty with JPMorgan. Your line is open..

Hi, guys. It's Jackson Ader on for Sterling tonight. One really high level question from us and that is are you seeing any either increased demand or interest from customers after some of the recent attacks like Britain (30:15), and I think we're thinking mostly the den (30:12) attack that came out last week..

In fact, I would say – I will not say maybe directly because of that, but this is what we see at a very macroeconomic level. Today, as we all know, most large companies have embarked into what is called a digital transformation.

And what is happening today is that now they realize – and we see that spitting up which is essentially using newer technology, retooling their IT infrastructure to gain, to reduce cost and increased agility from a business standpoint.

What we see today happening at the macro level is that these divisions in these companies are starting to realize that today securing the current computing environment is becoming more and more and more expensive and diminishing returns.

So there's now a demand that we see that favors Qualys significantly and we already have quite a few very significant example about that.

They see that if they move it, if they accelerate and work for example that example of a very large bank in Europe, which has publicly announced that they accelerate the additional transformation from the five-year plan down to a three-year plan, and Qualys now is becoming critical for advanced securing the new infrastructure because the current security and compliance solutions were designed for that, if you prefer, client-server typical computing environment and not at all for this now more cloud-based computing environment.

So that's where we see the demand for our solutions. That ability that we have today to provide you with that two-second visibility across your entire global IT assets, this is really what differentiates us. And in addition to that, we can now provide you with a continuous view of the security and their compliance. That's quite significant.

And next year, as I've indicated it in my introduction here, that we're going to be able to allow you to also detect where you have zero days almost instantly without having you to search.

We will tell you exactly where you're exposed to zero days, and we're going to tell you where we have identified assets which have been already compromised or assets which we highly suspect that they're being compromised.

And all of that out of one single platform, eliminating significant – for a large corporation, you speak about millions of dollars of cost that we can eliminate. So that's where Qualys is extremely well positioned, and that's what really make us very, very positive about the future of Qualys..

And our last question comes from Stephen Kalche (33:08) with Stephens. Your line is open..

Yeah, hi. I figured I'd sneak in here at the end. This is Stephen (33:16) on for Jonathan.

With regards to adoption of the Cloud Agent, is the primary service that benefits from increased adoption, whether it's from a new client or an existing client, is that VM that primarily benefits from that, or are you also seeing the Cloud Agent being utilized for other services? Thanks..

So, yes. So a very good question. So we have, in fact – yes, it does benefit (33:40) very strongly, sorry, VM, because it eliminates to need scanning Windows, it eliminates the need to fetch credentials and it gives you real time. So that's, of course, very important.

It also benefits, for the same reason, by the way, the Policy Compliance application, and now what we see is a very strong adoption of our agent or the fourth – the providing the asset inventory. We really believe that today the number one issue that large corporation has is that they do not know what they have, who owns them, where are they.

And of course, you cannot secure what you don't know. So there's a new understanding because of the breaches that despite all the billions of dollars that we're pouring into securing that environment, the breaches are not stopping, very clearly.

So now there's a very clear conscience that you need to know what you have, which is making, I think, a global and continuous view of your global IT assets. And again, the world is changing so whether you have existing assets on premise, whether it's your end points or again, whether it's your now cloud environment.

So again, what we did with that absolutely integration, while pre-install – our Agents now are pre-installed in the Microsoft Azure platform, which is quite significant. And so that's what we offer today. So this is where we see, if you prefer, that demand.

So the fact that we see a very strong employment of our Agent, for us this inventory, this is really underscores that capability that we now have..

Thank you. Thank you, everyone, for attending our Q3 earnings call. As mentioned in our press release earlier today, our Analyst and Investor Day will be held in New York on November 17. At that time, we will discuss the company's vision, strategy, product roadmap and investment highlights, as well as showcase our new services.

And we are delighted that Mark Butler, Enterprise Information Security Officer Advisor will be with us to present his perspective on the industry and Qualys' competitive position in the marketplace. We look forward to seeing you then..

Ladies and gentlemen, thank you for participating in today's conference. This concludes today's program. You may all disconnect. Everyone, have a great day..