Joo Mi Kim - Qualys, Inc. Philippe F. Courtot - Qualys, Inc. Melissa B. Fisher - Qualys, Inc..

Melissa A. Gorham - Morgan Stanley & Co. LLC Bill Choi - Wunderlich Securities, Inc. Robert Breza - Northland Capital Markets Matthew George Hedberg - RBC Capital Markets LLC Robert Owens - Pacific Crest Securities, Inc. Steven Couche - Stephens, Inc. Jayson A. Noland - Robert W. Baird & Co., Inc. (Broker) Christopher Speros - Stifel, Nicolaus & Co., Inc.

Michael Wonchoon Kim - Imperial Capital LLC Ugam Kamat - JPMorgan India Pvt Ltd. Erik L. Suppiger - JMP Securities LLC Siti Panigrahi - Wells Fargo Securities LLC Srini Nandury - Summit Redstone Partners LLC.

Good day, everyone. And welcome to the Qualys First Quarter 2017 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen-only mode. Later we will conduct a question-and-answer session and instructions for asking a question will be given at that time.

I would now like to turn the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations. Please go ahead, ma'am..

Thank you. Good afternoon and welcome to Qualys First Quarter 2017 Earnings Call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements.

Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Forms 10-Q and 10-K.

Any forward-looking statements that we make on this call are based on assumptions as of today and we undertake no obligation to update these statements as the result of new information or future event. During this call, we will present both GAAP and non-GAAP financial measures.

A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release and accompanying investor presentation with supplemental information are available on our website. With that, I'd like to turn the call over to Philippe..

Thank you, Joo Mi. And welcome, everyone, to our Q1 earnings call. For those who don't recognize my voice, I've not lost my accent. I'm just out of a good flu. So with that, Melissa and I are pleased to report another great quarter that included strong performance, both on revenues and profits.

This quarter, we saw year-over-year growth across renewals, upsells and new customers.

Qualys continued to replace capital management solution with both small and large customers and we continued to see evidence of the large, underpenetrated opportunity within our customer base as our policy compliance, for example, solution was adopted by major banks who were only VM customers before.

We also were pleased to see sustained growth performance among newer solutions, Cloud Agent and ThreatPROTECT. Melissa will provide you with more color on this.

We have now partnerships with all of the major global MSSPs, as we announced a partnership with IBM earlier this quarter that would add Qualys continuous cloud-based IT and security and compliance solutions to its Managed Security Services portfolio.

IBM will integrate Qualys technology to enable its customers with enhanced visibility of IT assets, vulnerabilities and threat data, accelerating the prioritized remediation and simplified management of the IT security and compliance posture at scale.

Concurrently, we launched a new Qualys app for IBM's QRadar Security Intelligence Platform that allows customers to have an improved visibility and analytics tools to help them identify risk metrics and take actions against key threats.

As you may recall, at RSA we launched Web 2.0 combined with WAS 5.0, which integrated together brings Web Application Security to its next level by offering unprecedented scalabilities and remediation capabilities in the form of a one-click patching.

We also showcased our File Integrity Monitoring, which is in beta now and the detection of Indication of Compromise solutions, which will be in beta in the next few weeks.

These new solutions, which leverage our Cloud Agent technology, enables our customers to have a deeper continuous view into their security and compliance posture at a click of a mouse to a dynamic and customizable dashboard and alerts.

The new solutions expand our potential share of our $4 billion addressable market and position us very well for continued growth as – and as already mentioned in our last earning call we plan to launch additional solutions in beta in Q4 of 2017, including Patch Management, Digital Certificate Management, and Passive Scanning.

During the quarter, we also continued to widen the technology gap between our Cloud Platform and the competition with our Qualys Virtual Scanner Appliances now able to be directly deployed from the Google cloud launcher to the Google Cloud Platform. Our virtual cloud scanning capabilities now cover all major elastic environments.

Furthermore, IDC confirmed that we have taken the number one market share position over IBM and HP in the $1.6 billion vulnerability assessment market.

Our strong positioning in the market is driven by our unique ability to provide enterprises with both a single-pane view that enables two second visibility of their entire global IT assets, whether on-premise endpoints or elastic cloud environment, as well as the continuous view of the security compliance posture, the customizable dynamic dashboards and alerts.

As importantly, our Cloud Platform and solution add enterprises large and small to secure the digital transformation, while reducing significantly the security and component spend, enabling them to consolidate multiple disparate on-premise security and compliance solution in a single platform that is centrally managed and self-updating.

Our Cloud Platform and the global visibility it provides is the results of 10 plus years of continuous innovation starting in the Silicon Valley and now also in Pune, India.

We believe it is the most comprehensive and technologically advanced in the markets in which we compete and yet we continue to innovate in order to deliver more value to our customers and remain ahead of the competition.

In fact, we have now added new technology components to our platform to enable us to ingest, process, analyze and store high volume of sensor data coming from our agents, scanners and soon passive scanning analyzer and correlate that information at near speed, light speed, in a distributed manner for millions of devices.

We now have, in fact, over 25 billion security data points indexed in our elastic search clusters providing almost instant query results. This gives us, our customers the two-second visibility without them having to index large amount of data.

We have deployed new Cassandra node clusters at the back end for FIM, File Integrity Monitoring, and IOC, detection of Indication of Compromise, data collection providing us highly scalable data store compared to traditional RDBMS.

This failure resistant and highly available data store with linear performance stores millions of events per second and ingest data regardless of type, which will provide superior performances specifically for FIM and IOC, which depends on analyzing millions of events.

We have deployed also a new Kafka node to enable us to have a heavily distributed processing farm that would allow us to process data points and events coming from our sensors in near real time at rates of millions per second minimizing processing delays in analyzing events and changes happening in customer's network on a continuous basis.

We are also now deploying Redis, which is a high-speed in-memory cache that reduces expensive disk rights and speeds up all analytics operation.

In summary, with our upcoming solution and strengthening back-end, we believe we will be the only platform capable of providing global prevention, detection and remediation in a scalable and cost-effective manner across on-premise, endpoint and elastic cloud environments.

Supporting these just yesterday Frost & Sullivan recognized Qualys with 2017 Global Vulnerability Management Market Leadership Award highlighting the company's area of excellence in growth, strategy, product quality, customer ownership experiences and unique platform technology leverage.

As we seek to ensure that the market recognizes the full breadth of Qualys cloud platform and the value we provide not only to security teams but also CIOs, we have hired a new CISO. Many of you met Mark Butler at our last Analyst and Investor Day in New York. He was formerly a customers of ours as the Chief Information Security Officer at Fiserv.

He joined Qualys because he saw the opportunity for Qualys to emerge as a leading platform amidst the stack consolidation occurring in the marketplace.

In addition to Mark, we have also recently hired a new vice president and general manager for our SMB and SMB market as we see additional upside to increasing management of our very profitable smaller enterprise business. With that, I will turn the call over to Melissa to discuss our financial results in detail. Thank you..

Thanks, Philippe, and good afternoon. I'd like to begin by sharing some color on, as some would call, our durable top-line. We are delighted with our first quarter performance. Total revenues in the first quarter were $53.1 million, which represents 18% normalized growth over the first quarter of 2016.

There was a negative impact on our Q1 2017 revenue growth rate of approximately 200 basis points from the MSSP contract and 100 basis points from FX. As Philippe mentioned, we saw strong performance across renewals, upsells and new customer business during the quarter.

We continue to see adoption of our platform increasing with the number of enterprise customers with three or more Qualys solutions rising to 27%, up from 21% a year ago and their spend in the quarter increasing 27% year-over-year.

The number of customers with a quarterly average spend of over $100,000 continued to show strong growth, increasing 32% year-over-year in Q1. And the cumulative revenues for these customers grew 44% year-over-year. In fact, the average deal size for all new customers grew 44% year-over-year.

On a reported growth rate basis, our Other Security and Compliance Solutions revenues increased 23% over the year-ago quarter, in part due to Web Applications, Scanning and our SMB and SME customer base and our Vulnerability Management Solutions revenues grew by 12%.

As we've discussed, we see the opportunity to accelerate our growth rates with our new solutions but we are in the early stages of adoption.

Having said that, we continue to see very good performance from both the Cloud Agent platform and from ThreatPROTECT with new products released since 2015 contributing approximately 8% of total bookings in the quarter.

These bookings are mostly due to Cloud Agent, which includes the associated subscription to either Vulnerability Management or Policy Compliance and include renewals that convert to Cloud Agent. We had 2.6 million Cloud Agents purchased in the last 12 months, up from 2 million last quarter.

And we saw the highest year-over-year growth rate of Cloud Agent bookings since launch. Let me now address our deferred revenue balance. Our current deferred revenue balance was $120 million as of March 31, 2017, 18% greater than our balance at March 31, 2016.

Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 20% year-over-year. Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results.

Our non-GAAP metrics exclude stock-based compensation and nonrecurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on our Investors section of our website.

Also note that certain amounts in prior periods have been reclassified to conform to the current period's presentation. As we discussed on our last call, 2017 is another investment year for Qualys. And in Q1, we continued to grow both our head count and infrastructure.

Because our unique operational model is so profitable, investing today to accelerate our growth and gain greater scale enables higher margins for the future. In Q1, our gross margin remained flat sequentially at 78%, which is very healthy when you consider our continued investments.

Gross profit increased by 11% year-over-year to $41 million in the first quarter of 2017, but our margin was down from 80% in Q1 2016. The year-over-year decline in margin was driven by increased head count, as well as higher depreciation from software and hardware to support continued scaling of our operations.

Operating expenses in Q1 increased by 18% year-over-year to $29 million. Research and development expense increased to $8.6 million or 26% year-over-year, primarily due to higher head count. Sales and marketing expense increased to $14.9 million or 16% year-over-year, primarily due to higher head count as well.

G&A increased to $5.8 million, 15% year-over-year, largely due to payroll taxes from a larger amount of options exercised this quarter. Adjusted EBITDA for the first quarter of 2017 was $16.8 million, representing a 32% margin as compared to 35% in the first quarter of 2016.

Net cash from operations in the first quarter of 2017 increased by 89% to $32.4 million compared to $17.1 million in the same period in 2016. Free cash flow generated in the first quarter of 2017 was $27.9 million, compared to $12.8 million in the comparable period of 2016.

The year-over-year increase in operating cash flow was driven by the overall growth of our business and increased number of prepaid multi-year deals and the benefit of the new accounting standard, ASU 2016-09, which bumps operating cash flow compared to prior periods by including the excess tax benefits from stock-based compensation.

Excluding the benefit of the new accounting standard, cash flow would have still grown very strongly at 60% year-over-year. Capital expenditures were $4.5 million in the first quarter of 2017 compared to $4.2 million in the first quarter of 2016.

Capital expenditures in Q1 came in below our previous expectations as timing on certain purchases shifted into Q2. We expect CapEx related to our operations in the second quarter of 2017 of between $6 million and $7 million.

We also expect to begin work on our new headquarters in Q2 and we anticipate CapEx related to that to be another $3 million to $5 million for a total Q2 CapEx spend of between $9 million and $12 million. Now turning to guidance, starting with revenues.

For the second quarter of 2017, we expect revenues to be in the range of $54.3 million to $55.1 million, representing an estimated normalized growth rate of 16% to 17% based on our current FX forecast, as well as the previously mentioned impact from the MSSP contract.

We expect GAAP EPS for the second quarter of 2017 to be in the range of $0.15 to $0.17 per diluted share, while non-GAAP EPS is expected to be in the range of $0.19 to $0.21 per diluted share.

We expect our operating expenses to sequentially increase throughout the year as we continue to expand our platform and build out and move into our new headquarters.

We are thrilled to have started 2017 with such a strong quarter and are excited about the expansion of our solutions, which uniquely position us to become the ubiquitous security and compliance platform.

For the full year 2017, we are raising the bottom end of our guidance for revenues bringing our current guidance to a range of $225 million to $228 million. We believe the additional services will increase our stickiness with our customer base, accelerate growth and set ourselves up for expanded margins in the future.

With that, Philippe and I would be happy to answer any of your questions..

Thank you. The first question is from Melissa Gorham of Morgan Stanley. Your line is open..

Great. Thanks for taking my question and congrats on the quarter. So I just wanted to dig into the upsell metrics that you disclosed. So you noted a pretty meaningful uptick in the number of customers adopting three or more products. I'm wondering if you could maybe give us some more details on what solutions are driving that adoption beyond VM..

It's really a mix. I mean we see our customers expanding their scope of VM. We see them – Philippe talked about some customers adding on Policy Compliance that were VM only customers before, as well as taking up our newer products like Cloud Agent and ThreatPROTECT..

Yeah. And the Web Application Scanning as well, so..

Right..

Okay. And then, Melissa, you mentioned the cash flow benefit from an increase in prepaid multi-year deals.

Can you provide a little bit more color on that? And specifically, I'm wondering if you can quantify the extent to which contract durations increase?.

Yes. Overall, we still haven't seen a meaningful change in our contract claims. But as our deal sizes get larger, that combined with an increased number of prepaid multi-year deals created a situation where we were able to collect a significant amount of cash flow this quarter. We don't manage our business to necessarily drive multi-year prepaid deals.

It's often frankly our customers who view us as a strategic partner who come to us to seek a longer-term agreement..

Okay. Thank you very much..

Thank you. And the next question is from Bill Choi of Wunderlich. Your line is open..

Okay. Thank you. Last quarter you talked about an environment where deals kind of closed towards the end of the quarter and slipping. How are you seeing that environment now? And then one of the biggest questions I get most commonly is there's a continued enterprise move to the public cloud.

And with that growing, why do you need a Qualys? And clearly you're doing well here, but if you could readdress what that move to the public cloud is pulling in terms of demand, what type of products and how is some of the engagements are changing? Thank you..

No. No. This is a very good question. So as far as the deals slipping, this is – some quarters they come early. Other quarters they come late. When you look at over – I mean this is not really that significant.

As far as your second question, in fact, that movement to the cloud we see that accelerating or what you could call the digital transformation of the enterprise and I think Qualys is extremely well-positioned here. Why? Because we can provide our existing customer with the visibility on platform like Azure, like Amazon, and now like Google.

And, of course, we do that uniquely because our customers can on one hand consolidate and save a lot of dollars out of their current spend in security but also now with that same platform they can now, of course, have that same view of the security across older cloud environment and that's very unique. So, I think we're extremely well-positioned.

We're also moving into container security big time. Also, our big spending our – what we call code name Cloud the 360, which is a major engineering effort also that while going to provide the constant visibility across multiple clouds, I will remind you that we have already succeeded in doing something which is quite exceptional.

Our agents are now embedded in Microsoft Azure, which means any Azure customers can essentially invoke at a click of a mouse a Qualys agent to have the view of their security and compliance posture on Azure and we're doing many more things around that. So, for us, I think it's very welcome.

As you know, why can we do that which is the question? It's because our architecture was cloud-based and as a result of that we could migrate our solution much more easily than any enterprise solutions into the cloud because our architecture was right from the beginning..

And then you talked about this relationship with IBM and new app you're using – created that takes advantage of visibility and analytics and that gets me thinking more about what kind of value you could derive from the Vulnerability Management database you're building, particularly as analytics becomes more important.

What are some ways that you're looking to monetize and how can we see revenue come from such efforts and then in what timeframe? Thank you..

Yeah. So, as you know, IBM is a very powerful machine. It's a machine that grinds slowly. But when they grind, they grind. We have established a very good relationship with them which is at the multiple level. One, we're a natural extension for them on their Managed Security Service. If you remember we replaced what they had with Rapid7.

But more deeply what we provide to QRadar is the asset inventory capabilities, which makes their solution smarter.

So with that, of course, we see the benefit of bringing more and more data into QRadar which will increase the value and for us it establish further Qualys as the company who collect the data, give you the asset inventory, and also give you the full view and continuous view of the security and compliance of those assets.

And, again, not only just for the endpoint or not only for the on-premise, but on the cloud – for these three environments which is also very unique. I don't know of any company who does that today..

And any thoughts on how you monetize it and....

I mean the monetization is, of course, we have that MSSP relationship and this is starting to occur. It's going to take some time but, of course, it will grind, as I mentioned. And the rest is much more us continuing to establish a good relationship with IBM, be a very good partner in their QRadar initiative.

We see them playing some very strong position in emerging countries as well. So for us it's a very powerful partnership. I've always had a good partnership with IBM, as I mentioned earlier. And so we know them very well. They know us. I think they respect us. They respect our technology. So it's just a question of time.

That thing will grow naturally and will grow well..

Thanks..

Thank you. The next question is from Robert Breza of Northland Capital. Your line is open..

Hi. Thanks for taking my question. Nice quarter. Maybe, Melissa or Philippe, really kind of piggybacking on one of the questions asked earlier around strong customer adoption of three or more applications. And I know you mentioned 8% kind of came from Cloud Agent combination with ThreatPROTECT.

When you look out maybe 12 months from now, how do you see the mix between, let's say, new products and VM and maybe just some context to maybe put a range around to think about the diversification away from VM?.

the IT security, Infosec, you have the AppSec for the applications, you have the endpoints, and then you have, of course, now the cloud and now you have the DevOps.

So our architecture what we have done here essentially we're now packaging that to solve the problem of each of these different groups with the combination of all these different applications.

So at some point in time looking further, I'm not going to think any more about web application, scanning, or about this, about that, about these different applications. We're providing end-to-end solution, which give you the visibility. You can now identify all of your global IT assets, again, across your different environments.

Then from there you can synchronize that with your CMDBs and then you can have the view of the global security and compliance. So it's going to be all that fuses. And, of course, at the end of the day, all the data that we collect through these various engines or application engines, we index that.

I mentioned about all the enhancements we have done into our back-end to be capable of managing and sifting through that significant millions of data per second that we're collecting.

So that's the way we see ourselves is that solution that is going to be able to capture a lot of information and then digest it and then presenting that in the way that fits the endpoint team, the web application team, the Infosec team, et cetera. It's a different view of the world and of the cloud teams..

And I would just add. We're really focused on growing the total company because, for example, the solutions that you talked about obviously are newer ones, are doing very well. And we're very excited that, for example, Cloud Agent had the highest year-over-year growth rate since launch. But Cloud Agent for VM, for example, is a VM related solution.

So that's not going to change the diversification in that instance. The File Integrity Monitoring and detection of Indication of Compromise are not really the end solutions, per se. So we're continuing to give this level of color because we know it helps the investor community get some transparency.

But we're focused on as we've described solving the solutions of various security teams..

Yeah. The way we see that – another way of how we look at our business, it's all about, of course, keeping our customers, selling them more solution and, of course, expanding.

And the more solution, that's what the metrics of 27% now of customers which have bought more than three solution is important and we want to see that growing because it makes us significant more sticky.

We create value, but at the same time of becoming sticky, it reduces the spend from our customers, so it's a good stickiness because there is quite a lot for our customers in that process. And so that's where we are really focusing on.

And, of course, the more we adopt, the more customers adopt, the more we grow and the more we grow profitably because the cost for us to deliver, maintain and support all these additional operations, solutions, of course. And you see that already in our business model.

So, their ability to one single platform, that's where the big investment of Qualys has been. It took us a long time to get there, but I think we are really getting there now. And, of course, that should mean very well for the future of Qualys..

Maybe one follow-up for you, Melissa. On the deferred revenue, was up you said 18% outpacing revenue and outpacing even the normalized revenue or close to it.

Is there a change in contract length or what are you seeing as a deferred revenue? Or is it more again going back to the customer adoption of taking more solutions?.

So, remember, our current deferred revenue growth relates to – doesn't include our multi-year to contract length. It wouldn't affect that. That's for revenue that we expect to recognize in the next 12 months. Yeah. We had a good quarter from a year-over-year growth rate.

In fact when you take into account the impact of FX it was actually 20% year-over-year. And what we are seeing there is, as we discussed, increasing multi-product adoption and I think it's a reflection of that, we are becoming a more strategic vendor to our customers.

The other thing I would keep in mind that I've said before is deferred revenues is influenced by factors such as the timing of invoicing. So I know it's one of the closest metrics that people can use for trying to get to a bookings numbers, but it's not always going to mirror, not on a quarterly basis.

Over the long-term it will, but, yeah, not on a quarterly..

Great. Thank you very much..

Thank you. The next question is from Matt Hedberg of RBC Capital. Your line is open..

Yeah. Thanks for taking my questions. With a broadening product platform, you seem to be having a lot of success with new products.

What sort of additional investments are going to need to be made to go at more of a top-down CIO-level sales? It would seem like if you come in at a strategic level, there'd be more of an opportunity for this broadening suite. Just curious on your thoughts there..

Yeah. Matt, so we look at that absolutely. That's one of the reasons, by the way, why we hired Mark Butler, because that's essentially his mission, is to essentially evangelize the Qualys platform from the top to CIOs and CISOs.

And, of course, we are beefing up our new business sales force, and of course, with our existing customers who are already very well established. So it's spending a little bit more time with the management – with the top management for new businesses really advocating that value. So yes. So we're doing that.

But, again, with our model, it's not something (33:23) that I have to unleash a huge sales force pounding on the pavement. We're very, very leveraged. We have also very large partners. We have now – Wipro is kicking in pretty well. They have all the relationship, of course, with their customers at the very top.

And, again, it's for us to make sure that our partners also understand now the value of Qualys. And, quite frankly and quite simply, the more new solution we deliver, the easier it becomes..

That's helpful. Then maybe one more. Your solutions would strike me as fitting well under the GDPR European breach notification framework that goes live about a year from now.

Curious if you're seeing any sort of additional demand from Europe, either now or maybe in the pipeline, as it relates to GDPR?.

Yes. So it's fine. Absolutely. So there's no question about that. In fact, we have two things on GDPR. First of all, we have now established on our Policy Compliance some of the GDPR framework. So that's a very natural extension.

We just announced some new frameworks from the Federal Reserve Bank in India, which we see by the way as a significant market for us, a significant growth opportunity market, where we're, of course, very well established now there. So that's the natural phenomena.

We see a deeper phenomenon which I think I mentioned on the previous earnings call is the fact that we see now major corporation now accelerating their digital transformation in Europe. And they do that essentially two ways.

One is adopting the clouds big time, worth mentioning the example of Societe Generale, which publicly announced that they were accelerating the digital (sic) transformation program mainly because of GDPR because this company concluded that in a way trying to secure their current IT infrastructure with all the holes that you have, all the complexity with enterprise security solutions, traditional on-premise that do not scale that are very difficult to integrate.

So that was really throwing money and they were better putting that money into accelerating their digital transformation and going to cloud solution.

The other way they are doing it is a lot of them are now moving their IT operations either to India or to other region like Poland to try to streamline and, again, use that as the impetus to accelerate their digital transformation. And that, of course, plays very well with us.

We have this discussion with many of our large customers as we speak in Europe. And, again, we have established a pretty significant customer base in Europe today. So that's good for us in a way..

Thank you..

Thank you. The next question is from Rob Owens of Pacific Crest. Your line is open..

Great and thank you for taking my question.

I wonder if you could touch a little bit on renewal rates, both what you're seeing from a dollar base renewal rate as well as a customer renewal rate in the fourth quarter – in the first quarter, excuse me?.

Yeah. So we actually added to our investor presentation this quarter a customer count renewal rate because that had been requested of us. And we've broken out by enterprise and SMB SME. And the enterprise rate is approximately 90% and SME SMB is 80%. And it's been around that area for – we did some work looking at it historically. It really hasn't moved.

In terms of dollar rates, we focus on dollar expansion, which includes the upsells. And we give that out on an annual basis and it was 104% for the company as of Q3, which was at our Analyst Day. And you can imagine enterprise is slightly higher than that and SMB SME is a bit lower. But, again, I don't think that's changed materially.

If anything, it's probably in step a bit (37:46)..

Yes. And I'd say also, Rob, what I could add also is that these numbers in fact underestimate our renewal rates if you could really measure them. And the reason is because we see sometimes company consolidating, buying another of our customers. So, of course, we have not lost a customer, but, of course, it's now part of a bigger entity.

And we see many of that. I remember the day when Oracle was buying our customers one after the next one, with PeopleSoft, et cetera, et cetera. So that, of course, in a way, give you less renewal rates. Also there's now benefit of a bigger discount because there's more volume but still it means that Qualys is strengthening, not weakening.

So our renewal rates, in fact, are very, very healthy. And, again, they are a little bit underestimated because of these two factor that I mentioned, especially on the enterprise. On the SME & SMB, you have always customers that disappears. You have much less loyalty there.

So you have typically renewal rates which are not, but again, they are acquired or they're moved or they disappear. But all-in-all, we have very strong renewal rates..

Yes. And that was part of our anecdotal color for the call, about the quarter. We saw, frankly, strong performance across renewal upsells and new customers..

Great. Thanks. And then if I look at the platform adoption, you talked about 27% of customers having multiple products. Why aren't you seeing more growth then in the other security solutions? Is there something falling off in that bucket? I know it was only up 23% year-over-year.

I think $11 million – or $13 million, excuse me, versus $11 million a year ago where we might see some acceleration there if the multiple product strategy in these new categories continue to catch on? Thanks..

Yes. Well, there are a variety of factors that go into them. Some of the increased multi-product adoption is going to be from VM customers taking ThreatPROTECT. So, for example, that would still be in the VM bucket. And the other thing to remember is the break out of VM versus other security and compliance solutions is done on a reported growth basis.

And so there was a negative 300 basis points impact to the growth rates as a result of the MSSP contract in FX, so you kind of add back 300 basis points and you're at, let's say, 26%..

So the MMSP actually impacts those other security solutions as well?.

Yes..

Great. Thanks for the color, Melissa..

Thank you. The next question is from Steven Couche with Stephens. Your line is open..

Yes. Hi. This is Steven on for Jonathan.

With regards to the new SMB position, how do you plan on utilizing that position? I know historically you've been mostly a direct to enterprise and maybe just give us the broader strategy for doing better with SMBs?.

No. In fact, we have always had – it's mainly our SME SMB business are done via telesales, although we have partners also reselling what we call our Express and Express Lite package. Same core base but packaged differently depending therefore this market. What we see here is now that we have a – it's a significant business today.

We want to really make it more of a business unit on its own, while revamping our website. So we want to have more for the website also, which will target the SME & SMB because we believe we can grow that marketplace much faster.

So we brought somebody who has the experience of building at scale, as that person was running the visual certification business of Verisign, which was at the time when he left a $200 million business.

So I think the time has come, so we could really make that unit more of a true business unit than being part of, if you prefer, our overall sales and marketing operation..

Yes. And just to give some color to how well established – I mean it's already been built out. If you remember, at our Analyst Day, we shared the breakout of our customer count. And 83% of our customers are SMB SME. So that's a large part of our 9,300 customers. But as Philippe said, we see opportunity to really scale it to the next level.

So we're excited to have our new General Manager..

Okay. Thank you. And then maybe one more. Can you give us a quick update on the MSSP agreement that was announced last first quarter? I think on the call you had mentioned that there were six quarterly fixed payments.

So could you just update us on that? And then if there would be anything there that might affect business throughout the remainder of the year? Thank you..

Sure. So the MSSP agreement that was signed in Q1 of 2016 was a multi-year contract. And so we're in the second year of it. Not much has changed. It is quarterly billed, so that's actually four payments per year.

And we expect that after this year we won't have to talk about the impact on revenues which we're talking about because last year we had large amounts of, call it, one-time double counting. This time we have the absence of it, so it's important that people understand what our more normalized growth rates would be.

But it continues to be a strategic partner and we continue to expect to see our business from them growing..

Yes. And, in fact, that partner has now adopted many of our new solutions which they are pushing, which I think is good for them and it's good for us..

Thank you. The next question is from Jayson Noland of Baird. Your line is open..

Okay. Thank you. I wanted to ask on your sales cycle with an increase in attach rates that may elongate a little bit and then a shift to the cloud which may shorten the sales cycle.

What changes have you seen, if any, over the last six months to 12 months?.

Well, I think, to the extent that we do very large deals, which has become more increasingly common, those do take longer. And sometimes that's because of multi-product adoption. But sometimes it's frankly – it could be very large single product purchases as well. But we haven't seen it necessarily changing the dynamics of our business.

Philippe, do you want to add more color to that?.

Yes. No. And the cloud, of course – the cloud we see – again in the SME SMB, of course, there's an acceleration, but that doesn't change the dynamic of SME SMB, which has always been reliably short-selling cycle. On the enterprise, we see them adopting, but again it's more bigger deals at the enterprise level.

So we don't see really much changes all in all..

Okay..

For what Melissa mentioned, we do bigger deals absolutely now. That takes a little bit longer, less predictable. So....

I wanted to ask on head count expansion too. If you could talk about your pace relative to full year targets. It's kind of hard to make hires in the category I would assume. And then specifically what roles you're hiring for? Thank you..

Yes. Well, we've added this quarter across all of our functions and in our R&D and ops. We do continue to see a little bit more than expected coming from India. And again, in a lot of situations, we are posting the job openings both locally here and in Pune. And we find the right people in Pune. So, again, we're all about finding the right talent.

And if it comes at a lower cost, that's just a benefit. So we feel very good about where we are. And we feel very good that we were in position to announce our CISO and our General Manager of SMB SME on this call today as well..

Thanks a lot..

Thank you. The next question is from Gur Talpaz of Stifel. Your line is open..

Hi. This is actually Chris Speros on for Gur.

Can you guys talk about what's driving the persisting demand for the Cloud Agent and the degree to which you're expecting the File Integrity Monitoring? And the other yet-to-be-released solutions that leverage the Cloud Agent to expand the annual spend of the current Cloud Agent installed base? And also can you talk about how many Cloud Agents that you currently have in active trials?.

So we have – so to answer your first question. The beauty of our Cloud Agent is not only it's very unique and very powerful architecture, but the fact that it's a natural extension. It makes our Vulnerability Management and our Policy Compliance much better, because it give you real-time. You don't have to have scanning Windows.

You don't have to have credentials. So that's where the thrust of that Cloud Agent growth, which, as Melissa mentioned earlier, we have now more than 2.6 million and required various active (47:15) trials as well. I mean the trials are still very strong..

Yes. It's about a million..

Yes. So it's – which has been like that since quite a few months already. So what's now – what the beauty of our Cloud Agent also is the fact now that this Cloud Agent has been installed, for our customers to adopt the theme and to adopt the IOC is also very straightforward because they don't need another agent.

They can immediately try our theme and our IOCs and future services as well. So you look at that as kind of a Trojan horse that we push our agent naturally through our VM and Policy Compliance application and where we already have a huge customer base. And now suddenly we have all these new services enabled.

So we expect a very big success on both the File Integrity Monitoring as well as the detection of Indication of Compromise. So I cannot wait to have that out of beta and selling them..

Yes. And I would just add. I think you should view our increased investment in our back-end as greater confidence in the market appetite for these solutions..

Yes, because effectively – because case in point, we realize also – and that's what we accelerated some of our efforts in the back end that we're now seeking a lot of data, so to make sure that we were not – that at the end of the day the growth potential that we see will not be hampered by the fact that we didn't have the back-end capable of digesting all that data.

So we took that initiative and very happy that engineering responded very well and we're very happy with this expansion that I mentioned earlier. And that's I what I mentioned there, quite frankly, the Kafka, the Redis and the, of course, our elastic storage capabilities and that's really a tall order. This is not that obvious to do and we did it..

Thank you. The next question is from Michael Kim of Imperial Capital. Your line is now open..

Hi. Good afternoon, guys. Could you talk a little bit about the pipeline for Web Application Security? You have a pretty good installed base on the scanning side and coming out of RSA, I'm curious about kind of the early feedback for WAS 2.0..

So the feedback has been very positive. We don't have that yet – a lot of traction yet in term of orders but I think the feedback is very positive. I think combined the WAS 5.0 and Web, you know, is driving in fact today part of the acceleration that we see in our Web Application Scanning market.

So I think we need another quarter or two to totally see that thing taking off substantially..

The next question is from Sterling Auty of JPMorgan. Your line is open..

Hi. This is Ugam Kamat on for Sterling Auty. Thanks for taking my question. I don't know if this might have been answered earlier. We have been juggling between calls. But you had a pretty significant billing speed in the quarter. But if I see the revenue guidance, you have just increased by $1 million, at the lower end.

I mean is it something where the deals from second quarter, third quarter got closed early, in the fourth quarter or how should we think about this?.

Well, you're right that in terms of our deferred revenues, it is affected by the timing of invoicing. So it's not a direct proxy to bookings. In terms of our revenue guidance, we had a great quarter and we raised the bottom end of our revenue guidance. We generally assumed that we will guide to a range of $1 million each quarter.

And where we have greater visibility, we will narrow the range, which we did in Q2. And it's influenced by a number of factors, such as the number of large deals, the timing that we expect the large deal to occur within the quarter, as well as potentially new products coming out.

So, in general, because Q3 and Q4 are larger quarters, we would assume that we will guide to a range of $1 million for each of those quarters. And so, that's how we ended up with our $3 million revenue range..

Thank you. The next question is from Erik (sic) Suppiger of JPMorgan. Your line is – I'm sorry, JMP. Your line is open..

Yes. Thanks. First off, you said the billings for the new products were 8%.

Can you tell us what it was last quarter? I think last quarter, the revenue was around 5%, but did you give us the billings from prior periods?.

So we haven't provided billings. What we had talked about last quarter was that for 2016, our newer products for the year were 5% of bookings. So we were providing that color in the context of how we were thinking about guidance for 2017. Obviously, 8% – we're very happy it's obviously meaningfully larger than it was a year ago.

But it's also really not a fair comparison, because the ThreatPROTECT, for example, didn't exist a year ago. So, I think, of all the color we've given you about how new products are performing, you should take that as our excitement about them..

Okay.

So it was 5% of billings for all of 2016, is what the new products were, then, is that correct?.

2017..

Okay..

Yes, but it's bookings, not billings, Erik..

All right. Okay. The VM grew 12%. Is that consistent with where it's been? Because I had thought awhile back, it was growing a little bit faster than that, maybe in the mid-teens.

Is 12% growth in VM – does that reflect any slowdown?.

Well, so if you actually normalize for the impact of the MSSP contract and FX, you end up back in the mid-teens, which is where the market growth is. And our historical ability to outperform the market has been because we've innovated around new solutions and our new solutions are just currently in the early stages of adoption.

So we definitely see opportunity to accelerate our growth rates there..

Thank you. The next question is from Siti Panigrahi of Wells Fargo. Your line is open..

Thanks for taking my question. Philippe, just following up on that question, the prior question on VM market. Just wondering if you are seeing any changes from your competitors, Rapid7 and Tenable, if they have stepped up investment or NKN (53:54).

Also are you seeing any kind of McAfee customers switching to you or any of your competitors at this point?.

So, in term of the competition, Rapid7, we've seen them trying to put more and more emphasis with their InsightIDR product, the Analytics. That's where we see them much less aggressive in a way on the enterprise market. They still continue to be, of course, on the SME SMB side, which we compete very effectively against them there.

As far as Tenable is concerned, we see them – if you may recall two months ago they announced that they were the first cloud-based VM solution. Now they are announcing the next generation VM solution. So they are making a lot of noise. But still we love to – you know the Tenable.io, it's still pretty rough.

So they're making a lot of noise and, of course, they have to try to take on our customers. And so far we don't see except for – they are more of a nuisance than a threat at this stage..

Thank you. And our final question is from Srini Nandury of Summit Redstone. Your line is open..

All right. Thank you for taking my question. I thought it would never happen. Anyway, the question I have is that I just want to understand your public cloud opportunity a little better. Now you're available on Microsoft Azure as well as through Google Cloud deployments. I was wondering if you are factoring any revenue from contribution in 2017..

So just to answer, we've been very – in all of these new services that we have we've been very conservative in any kind of evaluation because it simply takes time. Our vision is very big. In fact, again, as I mentioned earlier, having our agents embedded with Azure is not a small feat. And that this is done.

We have a bigger vision with our Cloud 360 view, which is essentially to really be the company that provide that visibility across all of your cloud because the world is not going to be a world where companies have the Azure cloud or the Microsoft Cloud or the AWS Cloud or the Google Cloud.

I think we are moving into an aberrant world, because these platforms are differentiating themselves. Some are much better in term of pricing and capabilities to really elastic clouds when we see, for example, Microsoft, especially with their private cloud, becoming more an enterprise-friendly solution.

So at the end of the day, the world is going to be the kind of hybrid world. So the key here is to give you that visibility across all of the clouds. And that's what we're doing. And so we'll make some more specific announcement about all the new things that we're doing at our next investor conference or at our user conference.

So we see a very good potential market for us. We are very well-positioned..

Okay. Just to jog my memory, are you guys also available on Google – on AWS? I'm sorry..

Absolutely. Not only are we available on AWS, but also AWS is using Qualys, like Microsoft is as well, to secure their own AWS platform. So we give the visibility to AWS across their entire cloud, so they could ensure that their platform is secure..

Okay. Melissa, just to clarify.

Are you guys factoring in any revenue contribution from these pocket cloud sources into your 2017 estimates?.

No. As I mentioned earlier, we are being very – we are very conservative in term of the adoption of all these new things. Again, time works in our favor. That's one thing that you have to understand. We're not an enterprise model whereby you've got to get the business, because if you don't – so we typically grow our customers.

We take them slow and small and we grow them. And so that's the beauty, in fact, of our model. So we always have seen people, it's essentially people are use – they pay what they consume unlike enterprise software, which you've got a lot of shelf-ware. That's not our model. So. It grows slowly, but it grows more profitably and over time it all adds up..

Thank you very much..

Thank you. And at this time, I'd like to turn the call back over to Joo Mi Kim for closing remarks..

Thank you, operator, and thank you all for attending our first quarter 2017 earnings call. We look forward to seeing many of you at the J.P. Morgan TMT Conference in Boston later this month..

Thank you. Ladies and gentlemen, this concludes today's conference. You may now disconnect. Good day..