Joo Mi Kim - Qualys, Inc. Philippe F. Courtot - Qualys, Inc. Melissa B. Fisher - Qualys, Inc..

Sterling Auty - JPMorgan Securities LLC Robert Breza - Northland Capital Markets Melissa A. Gorham - Morgan Stanley & Co. LLC Jayson A. Noland - Robert W. Baird & Co., Inc. Siti Panigrahi - Wells Fargo Securities LLC Srini Nandury - Summit Redstone Partners LLC Christopher Speros - Stifel, Nicolaus & Co., Inc. Michael Kim - Imperial Capital LLC.

Good day, everyone, and welcome to the Qualys Second Quarter 2017 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen-only mode. Later we will conduct a question-and-answer session and instructions for asking a question will be given at that time.

I would now like to turn the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations. Please go ahead, ma'am..

Thank you. Good afternoon and welcome to Qualys' Second Quarter 2017 Earnings Call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements.

Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K.

Any forward-looking statements we may make on this call are based on assumptions as of today and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.

Our reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release and an accompanying investor presentation with supplemental information are available on our website.

Beginning this quarter, we are also publishing our prepared remarks in the Investor Relations section of our website to make it easier for you to follow along. With that, I'd like to turn the call over to Philippe..

inventory, configuration and continuous view of their security and compliance postures. We showcase there its first two components, Cloud Inventory and the Cloud Security Assessment apps.

CloudView provides customers with configuration scanning capabilities and simplified workflow to assess, report, monitor and remediate security-related configuration issues based on the Center for Internet Security, CIS, benchmark. And this is currently in beta.

We also unveiled our CertView App Framework, which provide discovery and management of digital certificates and showcased its first two components, Certificate Inventory, CRI, and Certificate Assessment, CRA, scheduled for beta in September and for GA before the end of Q4.

As you may recall, earlier in the quarter at the Gartner Security & Risk Management Summit, we showcased four disruptive new cloud apps in the Qualys Cloud Platform.

First, Container Security, a new cloud-based Qualys solution that enables customers to address security for containers in their DevOps pipeline and deployments across cloud and on-premise environment. This is currently in beta. Second, File Integrity Monitoring.

This highly scalable and centralized solution reduces the cost and complexity of detecting policy and compliance-related changes mandated by increasingly prescriptive regulations such as the Payment Card Industry Data Security Standard. File Integrity Monitoring is currently in beta and scheduled for general availability before the end of Q3.

Third, Indication of Compromise. This service detects activity and behavioral changes on the endpoint and delivers to customers a continuous view of suspicious activity that may indicate the presence of known malware, unknown variance, or threat actors activity on devices both on and off the network.

This is currently in beta and scheduled for general availability before the end of Q3.

Fourth, Security Configuration Assessment, SCA, a new add-on to Qualys Vulnerability Management that allows customers to expand their vulnerability management program with configuration scanning capabilities and simplified work flows to assess, report, monitor and remediate security-related configuration issues based on the Center for Internet Security, CIS benchmark.

At Gartner, we also announced that the FedRAMP-certified Qualys Platform now supports the requirement laid out in the 2017 White House Executive Order, EO, on strengthening the cybersecurity of federal networks and critical infrastructure.

The Qualys Cloud Platform integrated out-of-the box support for the Defense Information System Agency Security Technical Guides, DISA-STIG, and the National Institute of Standards and Technology Cyber Security Framework, NIST CSF, reduces the time and cost for agencies to meet EO requirements.

In the quarter, we released purpose-built content, workflows and reporting of the Qualys Cloud Platform to provide customers with continuous IT asset visibility, data collection and risk evaluation for compliance with the European Union General Data Protection Regulation, GDPR.

This also helps customers with ongoing protection of personal data across IT environment and third party. Finally, we launched a 30-day free unlimited service to businesses worldwide to identify and track remediation of assets exploitable by the WannaCry ransomware that has impacted hundreds of thousands of computers around the world.

This week, we are extremely pleased to announce the acquisition of Nevis Network. This acquisition provide us with significant domain expertise in deep packet inspection or passive scanning, and also give us the opportunity to accelerate our move into the adjacent markets of mitigation and response.

This acquisition will also strengthen our commercial presence in India, which we see as a significant opportunity for our company, and we expect the transaction to close in Q3. And Melissa will provide further details.

Nevis Networks is based in Pune, India and will be integrated with our existing Pune operation, which continue to be both a competitive and a cost advantage for us. In fact, we ended Q2 with almost 300 employees there.

We remain more confident than ever in our strategy because we are essential to securing the digital transformation, enabling security to be built into the infrastructure rather than bolted on.

We believe the continued expansion of our cloud platform and its integrated apps will enable us to continue to grow the top line of the business, building a strong foundation of recurring revenues while maintaining industry-leading profitability. With that, I will turn the call over to Melissa to discuss our financial results in more detail..

Thanks, Philippe, and good afternoon. We had a great second quarter with both revenues and profits exceeding our expectations. We believe this reflects both the strategic value of our integrated cloud platform solution and its integrated Cloud Apps, as well as our highly profitable operational model.

In fact, the adoption of our platform continues to increase with the percent of Enterprise customers with three or more Qualys solutions rising to 28%, up from 22% a year ago, and their average spend in the quarter increasing 24% year-over-year.

You'll also see in our investor deck that the number of customers with annual revenues of $500,000 or more is up 40% year-over-year to 45%, with a 47% increase year-over-year in combined revenues. We're also thrilled to have the Nevis team joining us. First on Q2 results.

On the top line, total revenues in the second quarter were $55.3 million, which represents 18% normalized growth over the second quarter of 2016. There was a negative impact on our Q2 2017 revenue growth rate of approximately 200 basis points from the MSSP contract and approximately 150 basis points from FX.

We saw strong performance this quarter across renewals and upsells, and we saw particular strength in Vulnerability Management, including very good performance from the Cloud Agent platform. New products released since 2015 contributed approximately 9% of total bookings in the quarter.

These bookings are mostly due to Cloud Agent, which includes the associated subscription to either Vulnerability Management or Policy Compliance and includes renewals that convert to Cloud Agent. We also continued to see very strong performance in Web Application Security in our SMB and SME customer base.

From a geographic perspective, we saw very good results in both the Americas and EMEA, in EMEA, despite a worse currency environment. In fact, the average deal size for all new customers in those regions grew 46% and 19% year-over-year respectively. Let me now address our deferred revenue balance.

Our current deferred revenue balance was $125 million as of June 30, 2017, 20% greater than our balance at June 30, 2016. Normalized for the impact from FX, our current deferred revenue balance would've grown approximately 22% year-over-year.

Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results. Our non-GAAP metrics exclude stock-based compensation and nonrecurring items.

A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investors section of our website. Also note that certain amounts in prior periods have been reclassified to conform to the current period's presentation.

Our Q2 results demonstrate our highly profitable operational model. Adjusted EBITDA for the second quarter of 2017 was $20.4 million, representing a 37% margin as compared to 32% in the second quarter of 2016. This contributed to a 100% year-over-year increase in GAAP EPS and a 29% year-over-year increase in non-GAAP EPS this quarter.

The 3% sequential decline in expenses relative to our expectations of a sequential increase was driven largely by lower software expenses in sales and marketing and more disciplined trade show spend, as well as lower hiring in G&A. In Q2, our gross margin increased to 79% from 78% in Q1.

Gross profit increased by 13% year-over-year to $44 million in the second quarter of 2017, but our margin was down from 80% in Q2 2016. The year-over-year decline in margin was driven by higher depreciation from software and hardware to support continued scaling of our operations, as well as increased head count.

Operating expenses in Q2 increased by 5% year-over-year to $28.2 million. Research and development expense increased to $9 million or 13% year-over-year, primarily due to higher head count. Sales and marketing expense increased to $14.3 million or 7% year-over-year, primarily due to higher head count and increased marketing expense.

G&A declined to $5 million, down 11% year-over-year, largely due to lower third party spend. Net cash from operations in the second quarter of 2017 declined by 5% to $16.5 million compared to $17.3 million in the same period in 2016.

The year-over-year decline in operating cash flow was driven largely by changes in the timing of orders and payments such as customers who paid in Q2 last year and paid in a different quarter this year.

Our operational model continues to be highly cash generative as reflected by our operating cash flow margin of 45% in the first half of 2017, up 900 basis points from the first half of 2016. Capital expenditures were $8.6 million in the second quarter of 2017 compared to $4.8 million in the second quarter of 2016.

Out of the $8.6 million, $4.8 million was for our business operations, and $3.8 million was for our new headquarters buildout. We expect CapEx related to our operations in the third quarter of 2017 of between $5 million and $6 million.

We expect the bulk of work on our new headquarters to occur in Q3, and we anticipate the CapEx related to that to be another $8 million to $10 million for a total Q3 CapEx spend of between $13 million and $16 million.

Now turning to the Nevis Networks transaction which is an acquisition of assets including employees, technology and certain customer contracts. As Philippe mentioned, the Nevis Networks' transaction will add a team of engineers who have significant domain expertise in passive scanning and position us in the adjacent market of mitigation and response.

The team is based in Pune, India, which is a low-cost geography for us so the additional expenses do not materially change our financial outlook. This acquisition is in line with our previously stated objectives of technology that can be integrated into our platform, good cultural fit, and appropriate valuation.

Post close, we will be working on integrating their solutions into our platform while they continue maintaining and selling their existing products in India. We have not currently assumed any revenues in our guidance from the Nevis Networks transaction because the revenue is immaterial.

In terms of guidance, given our performance to-date and the momentum we are seeing in the marketplace, we are raising the bottom and top end of our revenue rate guidance for full year 2017 to be in the range of $226.8 million to $228.3 million from the prior range of $225 million to $228 million.

We are raising the bottom end of our GAAP EPS range from $1 to $1.02. We are also raising the bottom and top end of our full year 2017 non-GAAP EPS guidance to be in the range of $0.87 to $0.91.

For the third quarter of 2017, we expect revenues to be in the range of $58.2 million to $58.9 million, representing an estimated normalized growth rate of 17% to 18% based on our current FX forecast, as well as the previously mentioned impact from the MSSP contract.

We expect GAAP EPS for the third quarter of 2017 to be in the range of $0.13 to $0.15 per diluted share, while non-GAAP EPS is expected to be in the range of $0.21 to $0.23 per diluted share.

We are thrilled that the first half of 2017 has exceeded our expectations and believe our new unified approach to prevention and response will position us to become the ubiquitous security and compliance platform, enabling us to continue to grow the top line and expand margins.

With that, Philippe and I would be happy to answer any of your questions..

Thank you. Our first question is from Sterling Auty of JPMorgan. Your line is open..

Yeah. Thanks. Hi, guys. You mentioned the good results in EMEA. And we saw CyberArk and Check Point have troubles in the segment, and there's lots of questions over what new regulations coming in might have an impact, either positive or negative.

Would love to hear what you saw in the quarter in terms of the regulatory impact, if anything, in your experience that drove the good results in this segment..

I think, Sterling, as I mentioned, in fact on the last earning call is that we see that GDPR is in fact a godsend for Qualys and we see the effect of that because specifically it is now accelerating the digital transformation of many of the large European companies because of the risk they now incur to up to 4% of the revenues.

As you know, they cannot essentially demonstrate, in case of a breach, to the regulators that they have done everything possible to ensure the security and the privacy of the data of their customers. So these companies – and I did mention Société Générale specifically last time.

Essentially what they realize is that continuing securing their current infrastructure with this enterprise point solution that are difficult to deploy and to integrate and very costly, is in essence a little bit futile.

And therefore, it's much better for them to accelerate the digital transformation effort, consolidation of data centers, moving some of their applications into a platform like Azure or AWS, and essentially securing the – and bolting the security in, building the security in rather than bolting it on.

Furthermore, WannaCry has been also a godsend for Qualys unlike for some other companies, because people finally realize that instead of having to buy solutions that supposedly protect them, that in fact they better try to identify all of their assets and also identify the vulnerabilities on those assets because this is WannaCry's and then Pitya absolutely demonstrated.

So for us, by the way, the European marketplace has always been consistent and good contrary to what some people says. The only impact that we had on EMEA was of course the very big drop of the dollar and of the pound, which of course affect our top line, while in fact being very good for our bottom line. So for us, EMEA is still continuing very well.

We have a very strong presence there. We have very large numbers of very large companies which have been loyal customers for many, many years. And what we see now is them starting to grow essentially adopting more applications, which now makes the revenue for Qualys. They spend bigger now with Qualys. That's the new trend that we're seeing now..

Got you. And then one follow-up question on the acquisition. Reading the materials on the website and other stuff on the Web, it sounds like the technology performs a lot of the things that you would see in Network Access Control or NAC.

Is that the way that you see it, and is this going to take your solution set into competing with Cisco and some of the private guys on the NAC side, or sort of are you implementing and doing something different with it?.

Yes. So, yes and no. So, no, effectively. So there's two things to that acquisition that we were looking for.

As you know, we said that also many times that what drives our acquisition and the reason why we have been very careful in the beginning or let's say not very eager to – we needed to expand our platform significantly so now a platform could much more easily adapt what I call foreign DNA.

So today we are very confident that with all the expansion of our platform that we have done with the fact that we're now 300 people in India, we have a huge, huge engineering and operation muscle now, that the time has come for us to look at acquisition, and this is the first.

So what guided us here is that these guys had really perfected a very good technology, the deep packet inspection passive scanning, which is the third technology that we are bringing into our platform. Today we have mastered scanning. We do more than 3 billion scans a year. We have also mastered now the agent.

Nobody can say that our agents are not revolutionary, they are. And now we're bringing that network analysis. Now in addition to that, as you mentioned, they have also the NAC, the network access control.

This is going to be significant for some of the solutions that we bring, and for example, the detection of indication of compromise which are going to be GA at the end of the month. So today, very uniquely, so like everybody else we have the hash of the indication of compromise, we compare them.

What is also unique with Qualys, we do everything in the backend so there's no hit on the devices, but we have also classified the malware into categories.

So instead of looking for the perfect match, we can identify the 60% or 70% match which could indicate or will indicate that this is a new variant of malware, which the malware is mutated to evade.

Now with that technology that we were building already, by the way, but now with the addition of the resources that we have now with Nevis, we're going to, of course, accelerate the availability of now trying to look at what's coming in and out of the device.

So if you see the device, for example, going into a DNS server and having a 60% or 70% match on the hash code, then you say, well, now we know that the device is compromised as well. And the beauty for our solution is that all of that is automated. You don't have – nobody has to do anything.

And so that's one of the use case of that Network Access Control technology. The second use case, because our agents beam up and as soon as you reconnect on the Internet, if you've got a device which have left the network, we know and we could analyze if the device has been compromised.

As a result of that, when the device comes back, we can quarantine. And that's where you go into the NAC, as you mentioned. We can quarantine the device. So fundamentally, one of the first use cases of that technology is in fact two use cases. One is to strengthen our detection of compromised solution.

The other one also is to – will allow us to have a global view of the asset inventory, including the shadow assets because now we can look at those devices which connect to the network and which are unknown.

Does that make sense?.

Thank you. Our next question is from Robert Breza of Northland Capital Markets. Your line is open..

Hi. Sorry, I had you on mute there. Just quickly and kind of maybe a follow-up on the last question, when you think about the environment that's out there, we've seen – I'm going to call it some spotty results from security software companies this quarter and it seems like you guys are obviously clearly bucking the trend in terms of execution wise.

Has the environment changed in your opinion, or is it just better execution from your own internal point of view around new products, sales execution, et cetera? I'd just like to get your color..

Now this is a very good question, and in fact it's both. Because on one hand, of course, the fact that we have expanded our platform, the fact that we're more solution, we become very, very – much more sticky and strategic. We have seen our renewal rate, for example, are getting better.

So that's for the execution if you prefer around the fact that now we are a platform that is really capable of consolidating quite a few security and compliance solutions. But the other thing is effectively, is the market is finally coming our way.

The marketplace was very much enamored to the solutions, the malware detection, all of these things, all that sophisticated user behavior, this and this and that, analytics.

And finally, people realized that you can deploy all of that if you still have not done a good job at identifying all of your global IT assets, identifying your vulnerabilities and remediating them or mitigating them.

You can put as many of this solution, you're going to continue being breached and that's what we see, by the way, almost every week in the newspapers. So finally, people start to realize that vulnerability management is a strategic application.

And so that plays in our game when in fact in the past it was working against us because people were rushing spending their money in putting some kind of protection solutions which turned out to be not as effective as they would've hoped..

Maybe just a quick follow-up. As you think about the customer spend, it's often been cited that customers were only scanning high risk assets. given the Agent adoption that you've seen, which is very, very good, it would appear that more people are scanning more IP addresses, more endpoints, that's what it appears to me, at least.

So when you're looking at this, how well penetrated from the number of IP addresses would you say that you're penetrating within an organization?.

In overall, relatively little. We have some companies, very few, which are doing millions of IPs per day, and these are the few but everybody's catching up. So we still have a lot. Just on the VM aspected side, we still have an unpenetrated market within our own customer base.

And then what is happening which is really helping us, we're essentially the only solution out there that scales because of our model. So we – of course, as soon as people, which are using another solution, wants to scan more, they realize that it's very costly with them, it's complicated.

And when Qualys comes in and oh, you want to scan a million IP every day? No problem. You want to scan thousands of web applications? No problem. We have the scalability working for us and the really quality of our detections as well. So the marketplace is finally coming our way two ways. One is the way you just indicated. The second way is the cloud.

Because if you want to secure the cloud or have a good view of the cloud, you need to have a cloud architecture. So our traditional competitors are rushing to try to find a solution, but we've been there for many years and our Agent, in fact, span across on-premise endpoint and cloud environment.

And we have totally integrated, for example, with Microsoft or Agents or any Microsoft customers on Azure, gone at a click of a mouse provision of Qualys Agent which comes, they have nothing to do. And then they have immediate view of their security and compliance posture, they have the Azure security center.

So without an agent technology like ours, you could not really do that as effectively and as transparently..

Thank you. Our next question is from Melissa Gorham Frank (31:41) of Morgan Stanley. Your line is open..

Thank you very much. So Philippe, you all have released a bunch of new products, at least into beta in 2017, File Integrity Monitoring, Indicators of Compromise, et cetera.

So wondering if you can help us maybe narrow down some of the solutions that you think holds the most potential for upside and what has received the most positive customer feedback thus far?.

So I would say – thank you for the question, Melissa. So I would say all of the above because I think all of the solutions that we bring to market, we're bringing them because we had absolutely discussed with our customers before. There's some which, of course, have more urgencies depending on the customers.

On the financial market, it'd definitely be the File Integrity Monitoring which is absolutely – everybody's really waiting for us to reduce that GA.

We have a big pent-up demand, and this is because the financial institution File Integrity Monitoring is a regulatory aspect to that and the current solution that they use are very expensive to use and to deploy. Not that they are bad solution.

In fact, they are pretty good solution, but they require servers that are huge infrastructure because they have a lot of data. So the cost of maintaining, supporting, updating the solutions, these traditional enterprise solution, this is the Siebel system versus Salesforce.com playing here, phenomena. So that's for that.

The detection of Indication of Compromise is much more broader, so a broad appeal for small, very large and old companies, very hot odd market. So we see today the huge pent-up demand for these. Of course, it's going to take some time to get that translating into revenues because you need to go through the budget approval, et cetera.

And our customers have the tendency for most part to put the up sell at the anniversary date of the subscription. So we've got kind of a lag, but I can tell you one thing.

Everybody – the betas that went down, everybody is absolutely very happy with that, and that's another reason to further consolidate application, consolidate a lot of these old enterprise security solution which, as we all know, are difficult to install, to maintain and to deploy. And so that is very good for us..

Got it. That's helpful. And then just one quick one for Melissa on the margin performance this quarter.

So the results were obviously better than what you guided to and you noted a few factors, but I'm wondering to what extent was the upside just driven by timing issues where there was maybe slower hiring than you initially anticipated or if this kind of reflects maybe a change in view in how you're balancing growth over leverage..

Thanks, Melissa. That's a great question. Yeah, it's not a change from the fact that 2017 is an investment year for Qualys. So to your point, some of it is timing in terms of actually finding the hires that we're looking for. Our philosophy is to wait until we find the right people as opposed to feel any pressure from outside targets.

We do expect expenses to sequentially increase in Q3 and Q4 across all functions as we're preparing to scale the back end for the release of these new applications that Philippe was just talking about. As well as hire more engineers to support the new products. And there'll be a little bit of an impact from the Nevis transaction as well..

Yes. And I will add one more thing, Melissa, is that because we have also deferred significantly our upstream where we really have wonderful upstream. We hired a VP of Ups now about a year ago, she has been doing remarkably good job.

And we have injected a lot of new technology, we have reduced significant cost in our Ups infrastructure by moving to newer technology. In other words, we are doing more and more what Facebook has done, which is try to be with all the new things and all contentization and everything, trying to move more into more much cheaper hardware.

And of course, the cost of the storage is going down. So there's also some very good efficiencies in our upstream here that I'm very happy to mention..

Thank you. Our next question is from Jayson Noland of Baird. Your line is open..

Okay. Great. Thank you.

And just to clarify on slower hiring, were the market was harder to hire in than expected, or this was just pushouts into the second half of the year?.

Yeah. That was specifically in G&A that I was referring to, and those are people that are going to be pushed out. I mean, it's areas like FP&A business applications where there are a few people or a few slots where we just didn't find the right talent..

Yeah. This also come back to the fact that we're also adding as much as we can automations. At the end of the day, we are very careful. And of course, we have also the impact of India where we have also moved a lot of the functions in India or complemented them that even in HR and in customer support.

So there's a lot of other economies offsets here that we're doing. So in terms of the hiring, we have always been going for the talent and we're being very careful that hiring, our philosophy is hire slow, fire fast. And that's what we do and I think it reflects in our numbers..

Okay. Thank you.

And then a follow-up, a really nice increase in large customers trailing 12 months, is that a function of an expanded platform or moving up into larger customers or what's the driver there?.

No, not exactly. This is the expansion of the platform. We see today customers expanding, buying more solution and it reflects to the metric that three years ago 11% of our customers had purchased three or more solutions, and today now it's 28%. So that's what you see here..

Thank you. Our next question is from Siti Panigrahi of Wells Fargo. Your line is open..

Hey, guys. Thanks for taking the question. I see that you have done a rebranding of Qualys, and then also a positioning of products into different solution category like infrastructure, cloud and apps and endpoint. I'm wondering, are you – I mean, first of all if you could share your thought behind that.

And also, are you planning to change any kind of bundling of products and pricing as it modifies the bundle? And also as a follow-up, are you planning any kind of change in your go-to-market or sales to more align into this kind of solution selling?.

This is a very good observation, Siti, and very good questions. In fact, effectively the reason why we essentially rebranded in a way the company, and in fact this is something that absolutely was planned in fact many years ago.

I was patient to wait until we had enough, expanded our platform, enough solutions to really instead of appearing as we were in the past like the very good vulnerability management company to really show that we were a company which was in fact seeing significantly more disruptive than people have ever thought.

Because you don't want to start to claim things before you have them. So effectively, so that rebranding is essentially to try to really illustrate that Qualys today offer a much broader solution.

So it's all about the platform, all about the fact that now we can consolidate many traditional enterprise security solutions, very much what Salesforce.com did. So this is our turn now. But also as well, as I mentioned earlier, enabling the company to secure, to build the security into their digital transformation.

There was two element which were flowing down the digital transformation of enterprise. One is the talent, the people who could help them go to this new infrastructures and type of application. And the second one was the security.

So I think we are the one that being – to make security invisible in those infrastructure as we are doing very clearly with Azure, with Amazon, with many other type of solutions as well. So that essentially what really helped us. Now in terms of now because we offered more, we are now starting to sell more from the top.

In the past, Qualys has been always selling bottom up to the techies, and then of course we went to the seesaws. Now today we have the ability to go to the CIO.

So you're going to see Qualys having initiatives starting early next year to essentially go and directly explain to the CIO the very simple fact that, one, we can give invisibility, which he doesn't have today across all of his global IT assets, that we can then provide the continuity of the security and compliance posture, that we can identify these assets which have been compromised, that we can do that across your traditional IT and all these different silos, and of course, through the endpoint, through the Web applications, et cetera.

So we stick to the silos because, of course, our multi-tenant user role based architecture and application we can provide to the person which is managing the different certificates, his own view. This is why we call the term view now. You could have your CertView. You could have your AssetView for infrastructure. You could have your CloudView.

And all of that is out of the same platform. So as a result of that, we save significant amount of dollars. Our large customers are between 30 to 100 applications. They cannot wait to reduce the stack. And that's what they all are asking us, and that's hence the new positioning.

And the refresh of the logo is essentially to really signal that security should be easy, it should be invisible instead of being that strong thing that you have to have to protect you. So it's all about now building the security into the fabric of that new computing environment, and that's the real mission of Qualys.

And that's the mission we had when we started the company back in 1999. So I'm really happy that we are finally getting there. It's been a long road, a profitable road because we were careful of not being ahead of ourselves. But I think today we're there.

So I'm looking for an inflection point in our model, which I was always looking, but I think we're getting there..

Thank you. Our next question is from Srini Nandury of Summit Redstone. Your line is open..

All right. Thank you for taking my question. Melissa, Philippe, can you talk about the average deal sizes or the trends you're seeing? Can you also talk about if the deal cycles are compressing? And I have follow-up, please..

Yes. Thanks, Srini. So average deal sizes continue to increase year-over-year. We've seen that consistently each quarter. We have focused on giving color on what stood out to us in the quarter, so this quarter it was the growth in average deal size for new customers in the Americas and EMEA.

And I talked about the Americas grew 46% year-over-year, and average deal size for new customers in EMEA grew 19% year-over-year. Across all new customers, it was a growth of 22% year-over-year.

And in terms of the other part of your question on sales cycles, we really haven't seen any shift other than when we do larger deals that encompass multiple products, for example, that obviously takes longer because there's more approvals to go through and procurement takes longer..

Okay. This question is for Philippe. Maybe it's a little technical but I would ask anyway. Philippe, you mentioned Cloud Agent is a foundational technology for your full stack.

Can you provide, first and foremost, some color? I think somebody asked already on the call, what percentage of your installed base already has a Cloud Agent installed? And more importantly, if you think about it from a perspective of getting this Cloud Agent into your installed base, why don't you bundle it with other solutions, when they upgrade it, probably get it for free?.

So, no. So these are very good questions, but generally speaking, today, I'd say every customers will move to the Cloud Agents, just a question of time. I would say today, I don't have the exact numbers, but more than 30% of our customers today have adopted one way. That will be – we'll verify that number, but that's my guess today and it's increasing.

We see every Qualys customers will use the Agent, that's for sure. That I can tell you. In terms of the bundling, that has been always part of our strategy in many ways, so we do that. There's some free services that we add that we were bundling.

So that's exactly – we are now starting to look at these kind of things because we have more – and that's why we have changed our terminology, we call them cloud apps.

We have the framework and then we have the cloud apps inside, and then we could effectively decide to do some kind of bundling or making some cloud apps totally free to gain market traction. We did that with CertView.

So if you look at CertView today, we had that SSL Lab, which has absolutely generated a lot of customers to identify, to measure the SSL. So there's – that's all the flexibility that we have. So yes, we will do the similar – things that way that you suggest, absolutely..

Thank you. Our next question is from Rob Owens of KeyBanc. Your line is open..

Hi. This is Liz (45:54) on for Rob. Thanks for taking my question. Just wanted to dig into the comment on the nice growth in average deal size for new customers. Would you say that's weighted more towards larger initial deployments, or maybe seeing larger multi-product deals? Thanks..

It's both. In fact, we have some time to have (46:13) now and like in the past, we have some customers, in fact, which really take three or four product solution from the get-go. And so that's a new trend, of course. And then, of course, we have our existing customers, which is essentially add more.

Still today, our market philosophy still remains that we don't do what these enterprise typical software company do, which is trying to get as much as they can and push the customer to buy more than what he needs.

We still are very truthful to our philosophy of let's just give to the customer what he can swallow, what he can eat, what he can deploy, and then we'll grow them. So it's really from the customers, but we do see effectively – in fact, the last quarter we had a major financial institution that placed a million-dollar order from the get-go..

Thank you. Our next question is from Gur Talpaz from Stifel. Your line is open..

Hi. This is Chris Speros on for Gur. Thanks for taking my question. You mentioned the Cloud Agent adoption increased to $3.4 million this quarter. How much of this growth is being sourced by new customer adoption versus sales into the current install base? Thank you..

It's actually a mix, Chris. We do see new customers disproportionally take on our newer solutions, but we see the Cloud Agent being adopted both by existing and new..

Thank you. Our last question is from Michael Kim of Imperial Capital. Your line is open..

Hi. Good afternoon, guys. Could you talk a little about market segmentation or customer segmentation? I think last quarter you talked a little bit about a new VP for the SME market, and I'm curious what's in the new initiatives and how that might change your selling motion..

No, in fact, we're always at that market segmentation.

The only thing that we did is that we have a very need-lead business on our SME/SMB business, and we want to make it – accelerate its growth, especially now that we have got more solutions and we hired essentially – we want to make it more for business-through-business unit, and that's what we hire somebody – which in fact the unit that he was managing has been sold by Symantec, which was the certificate business of Symantec.

And so which was at the time when Michael Lin was there, it was about a $300 million business if I recall that correctly.

So for us today, we're going to see much more marketing initiatives around the SME/SMB business, as well now more solutions to offer so it makes more sense now to really – one of the reason for our profitability, unlike some other companies which spend and wait to have the business to come – and hope the business will come to them, we are more on the other side and that want to make sure that we have the goods, and then we go and spend the money to accelerate the go-to-market, to accelerate the adoption..

And then in parallel, part of my agenda has been to use finance as a way to accelerate sales velocity. So for example, a big initiative this year is to put in place an auto-renew which we think would be viewed very positively by our SMB/SME clients, as well as increased usability of paying by credit card on the website..

Correct. Yeah. And then we're going to be in an online store and all these things again for the SMB market..

And would you need to accelerate some internal investments where there's channel sales, inside sales teams and channel support?.

Not really. I mean, you just go through the business. That's the advantage of our model is that because we have separated very well between the new business versus the renewals, to realize that the renewal business which is the big chunk will always be the bigger chunk, then that's the business that you can scale very well.

So then if you have investment to make, it's much more on the front end. And because we are very leveraged also with partners.

So, we can do that very cost effectively and we don't have that – these management sales guys, which are very expensive, and need an AC (50:33) and need all that other infrastructure and then the product need the professional services.

So we have all that advantage of having a really well-designed and well-packaged cloud solution that essentially deploys immediately instantly.

But you don't need – it's like when you buy a phone and you download an app, it's all there and it all works, so we have significant economies compared to our – on the sales and marketing front as well compared to your traditional enterprise security solution..

Thank you. And that concludes our Q&A session for today. I'd like to turn the call back over to Joo Mi Kim for any further remarks..

Thank you, Christine. And thank you all for coming to our second quarter 2017 earnings call..

Ladies and gentlemen, thank you for participating in today's conference, this does conclude today's program and you may all disconnect. Everyone, have a great day..