Joo Mi Kim - Qualys, Inc. Philippe F. Courtot - Qualys, Inc. Melissa B. Fisher - Qualys, Inc..

Alex Henderson - Needham & Co. LLC Sterling Auty - JPMorgan Securities LLC Robert Breza - Northland Capital Markets Michael Kim - Imperial Capital LLC Erik L. Suppiger - JMP Securities LLC Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc. Ryan Michael Flanagan - Monness, Crespi, Hardt & Co., Inc.

Matthew George Hedberg - RBC Capital Markets LLC Jayson A. Noland - Robert W. Baird & Co., Inc. Liz Verity - KeyBanc Capital Markets, Inc. Srini Nandury - Summit Redstone Partners LLC Siti Panigrahi - Wells Fargo Securities LLC Melissa Franchi - Morgan Stanley & Co. LLC.

Good day, everyone, and welcome to the Qualys Third Quarter 2017 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen-only mode. Later we will conduct a question-and-answer session and instructions for asking a question will be given at that time.

I would now like to turn the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations. Please go ahead, ma'am..

Good afternoon and welcome to Qualys' third quarter 2017 earnings call. Joining me today to discuss our results are Philippe Courtot, our chairman and CEO, and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements.

Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K.

Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.

A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and an accompanying investor presentation with supplemental information are available on our website. With that, I'd like to turn the call over to Philippe..

Thank you Joo Mi and welcome everyone to our Q3 earnings call. Melissa and I are very pleased to report another quarter with strong performance on both revenues and profits driven by the continued adoption of our Qualys Cloud Platform and its integrated suite of security and compliance applications we call Cloud Apps.

We are very pleased to raise again the bottom and top end of both our revenues and non-GAAP EPS guidance for the full year 2017 and Melissa will provide you with more color on it.

These impressive results clearly underscore the competitive advantage we have created by taking the long view to build a highly scalable cloud platform that can be delivered both as a shared platform or on premise.

This dual approach give us an additional and unique advantage given the accelerated migration to cloud solutions in an increasingly vulnerable and regulated environment.

As we all know, traditional enterprise point solutions, which are inherently difficult to deploy, maintain and integrate, are not effective anymore in protecting against crippling attacks such as WannaCry and in coping with new regulations such as GDPR.

As a result, companies are now looking for true platform solutions to consolidate the security and compliance stack in order to reduce cost and complexity while improving their security and compliance posture. Furthermore, businesses of all sizes have a critical need to accelerate their digital transformation.

This transformation requires a new approach to security where security must be built in and not bolted on. These requirements make our platform approach strategic to our customers and bolster the expansion of our Vulnerability Management solution as well as the adoption of additional solutions.

This is underscored by the fact that, now 30% of our Enterprise customers have now deployed 3 or more solutions compared to 23% a year ago. We also saw this manifest itself this quarter through the continued adoption of our Cloud Agents with almost 5 million purchased over the last 12 months.

This represents a 37% increase over last quarter and contributed to the increase in the number of large deals with both existing and new customers. As an example, we signed a multi-million dollar expansion with a leading cloud provider who not only expanded the scope of their Vulnerability Management but added Cloud Agent and AssetView.

Additionally, this quarter we signed a multi-million dollar annual deal with a large healthcare company encompassing both Vulnerability Management and Threat Protection; this was an existing customer who had previously only used our Web Application Solutions and PCI service on a limited basis.

As WannaCry and GDPR are impacting enterprises worldwide, we saw new customers deal size in Europe increase this quarter as well. We signed a six-figure deal with a new European customer to fully deploy Vulnerability Management in their environment; in the past, as you know, many customers had begun with partial deployment.

As we've discussed before, larger deal sizes benefit both our stickiness with our customers as well as our profitability. A few weeks ago, we hosted our 17th Annual Qualys Conference in Las Vegas at which we had record attendance by our customers and prospects.

The theme of the conference was From Securing our Networks to Enabling the Digital Transformation of our Enterprises.

We demonstrated there a significant expansion of our platform as evidenced by Elasticsearch, where we now index over 250 billion data points and as well as the addition of – additional open source backend like Cassandra and Kafka, and additional analytics and reporting engines.

We also showcased an impressive suite of additional solutions we will be delivering during 2018, underscoring the power of our true platform approach, and you will find the list in our investor presentation, which is now online. Enterprises worldwide are accelerating the adoption of cloud technologies to retool their business, or their businesses.

This adoption requires unprecedented scalability, accuracy and speed in order to identify all global IT assets, which could be vulnerable, whether on premise, in the cloud or on endpoints.

Enterprises also need to ensure that vulnerabilities are rapidly and properly remediated, which is something traditional enterprise IT security solutions cannot deliver effectively and at which Qualys excels.

Our Qualys Cloud Platform enables enterprises to build security into their digital transformation initiatives for global visibility and better business outcomes. Earlier this month in Monaco, I introduced at Les Assises, the leading security conference in France, Khaled Soudani, Societe Generale's IT Infrastructure COO, as part of my keynote.

He spoke about the vital need they had to accelerate their digital transformation, how security needs to be built into this new cloud-based infrastructure, rather than bolted on and how security needs to become an enabler rather than an impediment.

He also added that the world is moving toward hybrid clouds, that is a combination of public and private clouds. Securing such hybrid cloud architectures requires that security and compliance vendors retool their solution to adopt a cloud-based architecture.

Because we started our journey with such a cloud-based architecture in mind, we believe that it gives us a significant head start. This is evidenced by the fact that 70% of the Fortune 50 have now adopted our Cloud Platform including technology leaders such as Amazon, Microsoft, Apple, and Oracle.

We continue to expand our global partnerships and are pleased to announce that we have been selected by Ernst & Young to be a key component of their new next generation Cyber Security Center in Texas, from where they can monitor client environments, armed with the latest and most advanced tools to streamline detection and prevention of threats.

We are also starting to make inroads in the Federal market due to our FedRAMP certification and the market being more receptive to cloud-based solutions.

Following the selection of our FedRAMP certified private cloud platform by Lockheed Martin, we are pleased to announce that both the Secret Service and the Capitol Police became Qualys customers in Q3.

This quarter, we continued to expand our offerings, with the general availability release of File Integrity Monitoring, FIM and the detection of Indication of Compromise, IOC.

Qualys FIM logs and centrally tracks file change events across global IT systems and a variety of enterprise operating systems to provide customers a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity.

Then report on that system activity as part of compliance mandates. This highly scalable and centralized solution we provide now, reduces the cost and complexity of detecting policies and compliance-related changes mandated by increasingly prescriptive regulations.

Qualys IOC detects activity and behavioral changes on the endpoint and delivers a continuous view of suspicious activity to customers that may indicate the presence of known malware, unknown variants, or threat actor activity of devices both on and off the network, which is quite unique.

By expanding the number of applications we offer, we enable our customers to consolidate an increasing number of security and compliance solutions, eliminating the daunting challenges they have with point solutions that all require their own infrastructure, are difficult and costly to deploy and manage and extremely costly to integrate.

Our platform allows our customers to drastically reduce their spend and for Qualys, we benefit from a more strategic relationship and increased stickiness with our customers. In Q3, we closed the acquisition of Nevis Networks and integrated the team with our existing Pune, India operation.

The acquisition of Nevis Networks enable us to enter the market that is currently served by solutions such as ForeScout.

The acquisition of Nevis provide us with a significant domain expertise in deep packet inspection, also known as passive scanning, and give us the opportunity to accelerate our move into the adjacent markets of mitigation and response.

Once this technology is fully integrated into our platform, we will provide additional visibility and response capabilities to protect against threats from IoT devices. This will provide a holistic view of vulnerabilities within our platform across devices and web applications whether on premise, in the cloud or on endpoints.

We also expect the Nevis acquisition to strengthen our commercial presence in India, which we see as a significant opportunity for our company. Speaking of Pune, our operations there now encompass 350 employees across all departments, including Ops, DevOps, Engineering, QA, Customer Support and Product Management.

This is a major strategic advantage for our company as it continues to be both a competitive and a cost advantage for us. We will continue to invest heavily in Pune.

In summary, we continue to strongly believe that we are best positioned to secure the vital digital transformation facing our customers while helping them secure their current on premise and endpoint environments.

We believe our customers increasingly see us as a strategic vendor which has earned their trust by delivering a true platform that offers them greater visibility, accuracy and scalability and helps them consolidate their stacks.

It is this platform approach, built over many years, that has allowed us to build a strong foundation of recurring revenues, while achieving industry-leading profitability. We believe we are positioned better than ever to help our customers improve their security and compliance posture and forge ahead with their digital transformation.

With that, I will turn the call over to Melissa to discuss our financial results in detail. Thank you..

Thanks, Philippe, and good afternoon. We had a terrific third quarter with both revenues and profits exceeding our expectations. We continue to see healthy demand driven by our strategic positioning as the leading cloud platform in our markets coupled with strong market conditions. The upside in revenue drove record margins for Qualys.

We saw strong demand this quarter from both new and existing customers, the latter with both renewals and upsells. Deal sizes continued to increase in Q3 growing 17% year-over-year, and new customer deal sizes grew 62% year-over-year. From a geographic perspective, we saw very good year-over-year growth in all geographies.

In fact, we had record new customer bookings in EMEA in Q3, driven by deal sizes for new customers in EMEA growing year-over-year more than 100%. Consistent with last quarter, we saw strong performance in the Vulnerability Management category.

Bookings for both Cloud Agent for Vulnerability Management as well as Threat Protection more than doubled year-over-year. This drove meaningful acceleration in new product bookings. New products released since 2015 contributed approximately 14% of total bookings in the quarter, up from 9% last quarter.

These new product bookings are mostly due to Cloud Agent, which includes the associated subscription to either Vulnerability Management or Policy Compliance, and include renewals that convert to Cloud Agent.

Including Cloud Agent for Policy Compliance, we sold 4.7 million Cloud Agents in the last 12 months, an acceleration from 3.4 million as of last quarter.

Our Cloud Agent Platform, as you may recall, is the underpinning technology of many of our new solutions including File Integrity Monitoring and IOC and therefore, should help adoption of these newly released solutions.

Multi-product adoption continues to increase as well, with the percent of Enterprise customers with three or more Qualys solutions rising to 30% this quarter, up from 23% a year ago, and their average spend in the quarter increased 24% year-over-year.

Revenues in the third quarter were $59.5 million, which represents 19% normalized growth over the third quarter of 2016. There was a negative impact on our Q3 2017 revenue growth rate of approximately 150 basis points from the MSSP contract and approximately 110 basis points from FX.

In Q3, we also saw more front-loading of deals, which benefited our revenues. Turning to our deferred revenue balance, the current deferred revenue balance was $132 million as of September 30, 2017, 21% greater than our balance at September 30, 2016.

Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 22% year-over-year. Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results.

Our non-GAAP metrics exclude stock-based compensation and non-recurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investors section of our Website.

Also note that certain amounts in prior periods have been reclassified to conform to the current period's presentation. Adjusted EBITDA for the third quarter of 2017 was $23.9 million, representing a 40% margin as compared to 35% in the third quarter of 2016.

This contributed to a 63% year-over-year increase in GAAP EPS and a 40% year-over-year increase in non-GAAP EPS this quarter. Because of our expansion in India, we achieved this earnings growth despite a 26% year-over-year increase in head count.

In Q3, we also benefited from greater efficiencies in operations, which contributed to an increase in our gross margin to 80% from 79% in Q2 and from 79% in the third quarter of 2016. Gross profit increased by 18% year-over-year to $47 million in the third quarter of 2017. Operating expenses in Q3 increased by 7% year-over-year to $28.7 million.

Research and development expense increased to $9.4 million, or 15% year-over-year, primarily due to higher head count. Q3 R&D expense also includes one month of the Nevis team, and we're excited to have added the team from Nevis.

Sales and marketing expense increased to $14.2 million, or 4% year-over-year, primarily due to higher head count and related costs. G&A was flat year-over-year at $5.1 million as higher head count cost was offset by lower third-party spend.

Net cash from operations in the third quarter of 2017 increased by 62%, to $32.8 million, compared to $20.2 million in the same period in 2016. The year-over-year increase in operating cash flow was driven largely by the growth in our billings and profits.

Capital expenditures were $13.4 million in the third quarter of 2017, compared to $9.8 million in the third quarter of 2016. Out of the $13.4 million, $5.1 million was for our business operations and $8.3 million was for our new headquarters build-out.

We expect CapEx related to our operations in the fourth quarter of 2017 to be between $6 and $7 million and CapEx related to the new office to be another $4 to $5 million, for a total Q4 CapEx spend of between $10 and $12 million.

Total 2017 CapEx related to the new headquarters build-out is now expected to be between $16 and $17 million, up from our prior expectation of $13 to $15 million. We also spent $5.8 million on the acquisition of Nevis Networks in Q3.

In terms of guidance, for the fourth quarter of 2017, we expect revenues to be in the range of $61.7 million to $62.2 million, representing an estimated normalized year-over-year growth rate of 19% to 20% based on our current FX forecasts as well as the previously mentioned impact from the MSSP contract.

We will continue to invest in Q4 and look for high quality talent in a number of areas, however given our highly scalable operational model, we now expect full year 2017 operating margin expansion.

We expect the GAAP EPS for the fourth quarter of 2017 to be in the range of $0.15 to $0.17 per diluted share, while non-GAAP EPS is expected to be in the range of $0.27 to $0.29 per diluted share. We are delighted to be raising our full year 2017 guidance for both revenues and earnings.

We are raising the bottom and top end of our revenue guidance for full year 2017 again, to now be in the range of $229.6 million to $230.1 million from the prior range of $226.8 million to $228.3 million.

We are raising our GAAP EPS guidance range to $1.09 to $1.11 from $1.02 to $1.06 and non-GAAP EPS guidance range to $1.04 to $1.06 from $0.87 to $0.91.

We believe our strong financial results reflect the enthusiasm our customers have for a cloud-based security and compliance platform that can secure their digital transformation and enable them to consolidate stacks for better visibility and security.

At our user conference a few weeks ago, I personally saw how strategic our platform and applications are to our customers and how appreciative they are of our solution that is integrated and at a lower total cost of ownership than competitive on premise solutions.

We continue to believe that our unique competitive positioning, coupled with our scalable model will enable us to continue to grow our revenues and boast top-tier margins. With that, Philippe and I would be happy to answer any of your questions..

Thank you. Our first question comes from the line of Alex Henderson of Needham & Company. Your line is open..

Thanks. So, I just wanted to talk a little bit about the structure of your model going forward. Obviously, with the investments in India, it sounds like your OpEx growth ought to be probably towards the lower end of the teens range going forward.

But it looks like your top-line growth is at the upper end of the teens range and maybe even in the low-20s.

Is that the right way to be thinking about the structure as we move forward into 2018 without actually giving guidance for 2018?.

So our performance this quarter reflects what a scalable model we have, as demonstrated by our record operating margins. We will continue to invest, however, as you can see by our Q4 guidance, which implies sequential margin contraction.

Having said that, we have a highly scalable model, which allows us to continue to invest and boast very healthy margins. With regards to 2018 guidance, we will give that on our next earnings call consistent with prior years..

Just if I could, one follow-up on that.

So when exactly did the Nevis deal closed?.

It closed on August 29..

August 29. Thanks..

Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open..

Thanks guys. Happy Halloween..

Same to you..

So GDPR, I'm kind of curious. You talked about – pointed out I think strong results in Europe. GDPR, I think, was a distraction initially for a number of vendors.

Do you think we've moved past that? And are you actually seeing specific deal traction driven by that initiative?.

Absolutely in Europe, and I think it's starting to impact the U.S.

This is something that I don't think many people understand because a lot of people look at GDPR as fundamentally a compliance requirement that okay, you've got to pass another set of things and you have to – but it's much deeper than that because it has forced, especially in Europe, and now it's coming to the U.S., companies to rethink their entire security strategy and to fundamentally accelerate their digital transformation.

That was the speech of Khaled Soudani, which is the COO for the entire Société Générale infrastructure IT, and he's got 6,000 people reporting to him.

And essentially, it's all about now building security, first of all, accelerating the digital transformation so you could have a much better handle on security, of course, improving the velocity of your business.

And the fundamental notion that you've got to build the security into it, which means that security is becoming much more for DevOps now issue than the traditional like bolt-on and add security components or Enterprise security solutions. It's a major shift.

And I think GDPR, because of the onerous fine that the regulator could impose up to 4% of their revenue if the corporation cannot prove to the regulators that they have been good guardian of both the security and the privacy of the data of their customers. That's a huge, huge shift.

And so I think we were in a way lucky, because we have the right architecture, which is not the same for a lot of other vendors..

That makes sense. Maybe one other on a vertical question, U.S. Government, I think, was decent for some vendors and not for others. Can you give us maybe a little bit of your experience, what you saw in terms of demand out of the U.S.

Federal, given their fiscal year end?.

So for us, it's very different. Again, we are not positioned at all like all the other vendors, which typically are between 20% to 40% of the revenues in Federal. We have only 1%. So for us, it's all gravy. But more importantly, the government now needs scalability, immediacy, and again, cloud solution is really the only solution.

And when I say cloud solution, cloud-based solutions. That means that the fact that we have the ability to deliver our entire cloud stack on premise is exactly what government across the world require because they are not yet comfortable to put everything on Azure or on AWS. And their network are really pretty big.

So, that's what we saw with Lockheed, which now has a Qualys private cloud. And, of course, now we just mentioned the Secret Service is now a customer. So now, finally, the market is coming to us again. So it's very new for us.

It's all – of course, it's going to take some time as you very well know, government takes time, the procurement is so complex and lengthy. But for us, I mean, it's all gain. We have nothing to lose here, everything to gain..

Thank you. Our next question comes from Robert Breza of Northland Capital Markets. Your question, please..

Yeah. I was just curious, Philippe, if you could talk about, kind of, the macro backdrop, I think, kind of, in tune with some of the prior questions. We've seen some companies execute well and some, not so well. Are you seeing anything on the tea leaves from a macro environment, whether it's Europe or the U.S.

that causes you to stay awake at night or think about more intently?.

No, I think for us, we are – again, we are so well positioned because we have the ability to deliver the cloud in the way company essentially can absorb it and also have that ability to secure.

Like, for example, when Microsoft Azure, we have our agent now integrated into Microsoft Azure, so any Microsoft Azure customer can, at a click of a mouse, essentially provision a Qualys agent, which will give the continuous view of the security compliance posture of the environment on Azure. This is totally integrated.

Nothing to install, nothing to do. They just click on a link and that's it. So that ability to integrate security or to build security into this cloud environment, whether they are public or whether they are private, it's really the new game. That's the way we see it.

So, we see that, as I mentioned earlier, on the question of Sterling, GDPR is accelerating that thinking because of the onerous penalties that you could get.

So getting 4% of your revenues as a fine, you may want to say, should I not invest that ahead of the game in my digital transformation to make sure that I'm not going to be – I'm going to be able to really secure it? Because quite candidly and I've been mentioning that many times during my RSA keynotes over the years to the point that I felt like Galileo, thank Lord, I'm in America, so they didn't put me in house arrest.

(30:40) becoming harder and harder, if not impossible, to secure the current computing environment, which is network base. So, then we need to move from that client/server Enterprise network-based environment to a much more cloud-based environment..

Maybe as a follow-up to your comments around Microsoft Azure and customers moving workloads to the cloud, et cetera.

As we sit back and think about the number of IP addresses being scanned, have you seen your IP addresses being scanned or customers expanding the different – or more workload, et cetera, more applications, et cetera, as they're moving toward the cloud, are you seeing that expansion increase in terms of the overall business model, or how should we think about because obviously, those elements still need to be scanned, whether they're running in Azure or AWS, et cetera.

But....

Correct. Well, that's an interesting (31:45), yeah this is a – sorry, go on..

No. I'm done. Thank you..

Okay. So, that's a very interesting question. In fact, there is two moving parts here. On one hand, customers realize today that you cannot just look at your critical – your perimeter and your critical servers, add a few critical applications.

You've got now – because everything is interconnected with everything, you've got to really have a complete visibility on your entire environment. And very soon also on these IoT devices that connects to your environment as well, so that significantly increase, if you prefer, the scope of IT.

Now at the same time, of course, as you are moving some of these assets into the cloud, it reduces, of course, the number of IT assets that you are going to have to look at on the on-premise work.

But since today, we are so under – there's still so much room to grow in that old world that there's still a lot of expansion that we see within our existing customers, even customers which have been with Qualys for 10 years, they may have been scanning maybe 30% of their assets. So now today, they've got to do more.

And then, of course, they need to have that solution to scan their assets or identify the vulnerabilities on those assets, which are in cloud environments. So, the very unique thing of Qualys is that with the same platform, you do both. So it's a win-win for our customers.

Does that make sense?.

Thank you. Our next question comes from Michael Kim of Imperial Cap. Your line is open..

Hey good afternoon guys. Just with regards to the global partnerships, do see a greater focus or opportunity with partners like E&Y and other consultants or MSPs.

How do you think about exploring new routes to market?.

Yeah, absolutely. So, what is happening today, we saw, first of all, as you may recall from some of our previous calls that we have established a very significant position with all the Indian outsourcers, the Tata, the Wipro, the HCL, Accentures, et cetera, which are both Qualys customers now, but as well as Qualys partners.

Now we see companies like Ernst & Young and also these Indian outsourcers really focusing on the digital transformation and building architectures, if you prefer, which absolutely again are cloud-based so they can, in fact, provide not only helping the customers to accelerate their digital transformation through the retooling consolidation of data center virtualization, which now by the way is not anymore virtualization.

Now the technology has moved, it's containerization, and then, of course, you've got to look at the security as a whole.

So we, in fact – so you have to have a cloud architecture to be able to fit into this new initiative from this partners, and that's again the big advantage of Qualys here is that this is an Enterprise software solution doesn't cut it, it's that simple.

So we see that as strategic partners for the future, and we are very pleased with Ernst & Young, of course, with their brand-new data center or security center.

We see that coming from other companies and essentially, we're becoming a very strategic partner for these, I would call, next generation of outsourcers, which are essentially helping companies accelerate their digital transformation and securing it..

Thank you. Our next question comes from Erik Suppiger of JMP. Your line is open..

Yeah. Thanks for taking the question and congrats on a very good quarter..

Thank you..

The Cloud Agent has had a nice acceleration in the last couple of quarters. Can you talk a little bit about what dynamics are changing around that? And then secondly, can you give us a frame of reference on what kind of penetration you've had? I think we know your customer count, but I don't think we have a good sense for the endpoint customer count.

So can you give us some sense of what kind of penetration you've had at this point?.

So generally speaking, the Cloud Agent is still the same, which means that we have a natural extension from our customers, which already are doing Policy Compliance and Vulnerability Management. It's a very natural extension. As you know, this is, kind of, a Trojan Horse strategy for us.

Every new customer today essentially start taking Cloud Agent as well.

And so this Cloud Agent, the way to look at them is that not only they expand our ability to – they provide a much better Vulnerability Management and Compliance solution because it makes it real time as you may recall, you don't have now – you don't need any more the scanning Windows, you don't need to fetch the credentials, and it doesn't really – it gives you immediacy and it doesn't really take much traffic either.

So, they are really very good, since the next generation of Vulnerability Management and Compliance that we have with them.

But they are at the same time, the enabler of a slew of new services, which now we are very pleased that we have now shipped our File Integrity Monitoring and our detection of Indication of Compromise, which are – Indication of Compromise, this is what is going to really start pushing us more at the endpoint because on the endpoint, you don't really scan an endpoint that leaves the network.

So, that's why we are never very strong on these endpoints. But now today, the beauty of our Agent is that, even if the endpoint is out of the network, we still track it. And that's again very unique to our architecture. And as we start to see traction, of course, for the IOCs, we are going to have more and more our agent on the endpoints.

And then, of course, you have many other services now which are in the making and that will help us continue, if you prefer, the acceleration of our Cloud Agent solution..

And from a penetration standpoint, we estimate that out of our customer base, the percent of customers with Cloud Agent is approximately 8%, which just shows how much room we have to grow.

But also, even so, understates the opportunity, because similar to our current VM or Policy Compliance solutions, our customers have not fully deployed their Cloud Agents. And so there's huge opportunity within our customer base for more growth..

Thank you. Our next question comes from Gur Talpaz of Stifel. Your line is open..

Great. Thanks for taking my question. So, in the press release, you made a pretty interesting customer announcement in Maersk, which was notably hit by the NotPetya Ransomware campaign.

Can you talk about the impact of ransomware here? Was this deal specifically related to ransomware? And just more broadly speaking, have you seen ransomware serve as a driver of adoption, just, sort of, given the natural correlation between vulnerabilities and your solution?.

Absolutely. And let me explain. So what WannaCry, that ransomware essentially did, that WannaCry is exploiting a vulnerability, which is a very pervasive vulnerability and then essentially crippling companies. And that's a rude awakening for a lot of companies.

Before everybody was focused on APTs and targeted, so okay, they go after a certain number of things. But now today, they can cripple your business and we effectively gave Maersk as an example, which was not a Qualys customer, just to discover today which are the devices, which are vulnerable to WannaCry. Nobody has an idea.

So that's where Qualys shines because immediately, we can tell you if you're an existing Qualys customer and we are scanning your entire environment, which we start to do more and more.

Then, of course, we will immediately tell you without even having you to search through our Elasticsearch back end, which remember now today, we have indexed, which is absolutely a fantastic engineering feat, 250 billion data points and growing. So immediately in two seconds, we tell you would this is where you are exposed.

And now, of course, you've got to go and through ThreatPROTECT, you can even follow through the remediation, so we give you the dashboard, which allows you to not only immediately see everything, where you are exposed, but then follow the remediation, which is as important, of course, as discovering them.

So that has been essentially highlighting the unique capability of our scalability and has created the new business. And, of course, as we continue moving more into the IOC and the detection, now it's trying to detect – ransomware is going to be something very interesting at the moment of infection.

So this is of course, extension that we are starting to go, that we are starting to build into our platform to go more into the response side.

So today, WannaCry, to make the story short, serves us because of our ability to detect vulnerable devices and now, of course, we are going to expand our platform to also being capable of responding if an attack is occurring. But that will take, of course, some time, and I'm not going to give you deadlines here.

But that's the direction that we are absolutely taking..

Thank you. Our next question comes from Ryan Flanagan of Monness, Crespi, Hardt. Your line is open..

I had a question about hiring. We've heard scarcity of talent in the Silicon Valley.

Has that been a problem for you guys, or does the fact that you have such a large head count in Pune, kind of, act as an offset there?.

Yeah. So, no, it has been a huge issue. And in fact, thank Lord, Sumedh and I, we made the decision now about five years ago to do two things. One was to essentially re-architect our back end because, of course, of all the new technology coming.

And now that you can see with injection and you can see that in our investor presentation, we have injected a lot of open source back end. The challenge here is that this open-source back end are great, but you need to make them scalable and you need to integrate them into a single solution. And that's where Qualys has absolutely done a fantastic job.

Now we very candidly will not have been able to do that job, if we would not have made the decision to, Sumedh and I to invest in Pune five years ago. And because – we could not find the talent. Now the advantage, we went to India for the talent. We didn't go to India for the cost. And, of course, we discovered the cost.

And now thanks to that huge difference in terms of cost, we can still do – while doing that massive investment in India; we can still generate fantastic profits. And by the way, we are continuing investing big time in India.

The Silicon Valley, it's very, very difficult to find the talent that we need specifically, so I think we are really glad that we made that decision four years ago..

And I think one added benefit for us is given where we are with the platform and we're in a position where we've made our first acquisition and we're looking at acquisitions, we'll also be in a position to add talent inorganically, whereas five years ago, the company may not have been ready..

Correct, that's the other advantage also of having now the platform ready.

In the past, while a lot of people who were trying to push us to accelerate our growth by spending more money were trying to explain, no, we want to build a platform first before doing acquisitions, because it's all about being able to integrate in our model additional solution to our platform. So either we build them or we buy them.

But for us to buy them, it makes only sense. if the architecture is there that we can take that foreign DNA and that foreign DNA is also designed in such a way that we can also take it. So, that has been limiting our ability to grow through acquiring technology.

But now today, we feel that we are very positioned and very delighted, by the way, with that Nevis acquisition. They are already all integrated in Pune, and we are quite candidly looking at other acquisitions in India as well..

Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open..

Great. Thanks for taking my questions. Philippe, new products continue to be a driver of bookings. I think most notably, the Cloud Agent, which you talk about.

How should we think about the cadence of new product releases into Q4 and 2018?.

Well, I think we again have reached a very good maturity because, what is very unique in any cloud environment is that you are not in the assembly line, I would say, of your traditional Enterprise, where you've got the engineering, designing, then they pass that to QA, then QA pass that to customer support and then you install, and then et cetera, et cetera.

So, what we have done very uniquely, as you may recall, is that under Sumedh, our Chief Product Officer, we have now Ops, DevOps, Engineering, QA, Customer Support, Product Management all that under one roof and we cloned that in India.

And that's one of the reasons also why we can attract top talent in India because we give them really the opportunity to really contribute instead of just writing code. So, that ability to do all these business together, we have really mastered that.

And the advantage then when you have done that is that in order for you to develop a new solution or to integrate a new solution, you don't need an army of people because you leverage the platform. So our application team, if you prefer, or Cloud App team, are small. If I tell you that Elasticsearch, for example, was done by three people, that's it.

So we leverage, of course, the Elasticsearch engine open source available, then we have the three people really making it scale. And here suddenly, about a year later, we have indexed 250 billion data points.

So, that tells you that there is multiple leverage points in Qualys, in our business model, and we absolutely work at that over time and resisted the sirens of accelerated growth at any cost. And I think today, we're starting to see the benefits of that longer-view approach that we have taken..

And I would add, Matt, another reason why we're positioned even better today than previously is, as I mentioned in my prepared remarks and I think Philippe mentioned as well, that Cloud Agent is the underpinning technology for some of these new solutions like File Integrity Monitoring and IOC.

And so with now having 5 million Cloud Agents deployed, it makes it that much easier for customers to adopt these added solutions..

Absolutely..

Thank you. Our next question comes from Jayson Noland of Robert Baird. Your question please..

Okay, great. Thank you. Melissa, I wanted to ask on the deceleration and long-term deferred.

Is that primarily a function of the big MSSP deal from Q1?.

Actually, it's not really the MSSP deal. The deceleration in the long-term deferred is a result of amortization of existing multi-year pre-pay deals exceeding the amount of deals sold in Q3. So, if you recall, we had talked about in Q1 in terms of cash flow, we had a large number of multi-year pre-pay deals, that was higher than usual.

And now we're back to more regular levels and that's the reason. We focus on current deferred because a majority of our business is one-year contracts, and we don't intend our sales force to do multi-year pre-pay deals and we don't drive our – we don't drive our business that's way. It's really driven by customer requests..

Thank you. Our next question comes from Rob Owens of KeyBanc Capital. Your line is open..

Hi. This is Liz Verity on for Rob Owens. Related to the ransomware question, curious if – what impact do you think the high profile Equifax had on maybe the perception of Vulnerability Management overall and any impact to your business in terms of demand? And maybe the quarter being more front end weighted? Thanks..

So yes. This is not like WannaCry – this is more a Struts. Equifax is another of this type of nasty vulnerability, if you prefer, which is – here it was an Apache code. And as we know now, Equifax was, in fact, a server, which was vulnerable outside of the U.S. and they managed to get back into the network and do all the bad things.

So that's again for our business, especially Vulnerability Management is absolutely a godsend and because it shows how important it is to identify your vulnerabilities.

And if you don't look at everywhere, then you could be caught by surprise exactly, what happens to Equifax that, could be penetrated in one place on the globe and somehow they managed to target from there to go inside. And once they are inside, then that's another game.

It becomes much harder to detect and that's why we're working, by the way, on really trying to work on the detection from the inside, which is really a very unsolved problem. And so, at least, you need to know your vulnerabilities and everybody goes back to that basis. So, the years of vulnerabilities have come, I would say.

And it was always the, kind of, application which is relegated to (50:41) yeah, but we've got better things to do, we need to put our firewalls, we need to put intrusion detection, et cetera, et cetera. But now today, people realize that despite all of these precautions, the bad guys find a way to go inside.

And once they are inside, then it's become, with the current environment, which is very network-based, unless you segment everything on your network, which then, of course, at the zero absolute, nothing moves. And then, of course, you have peace, but then you don't do much. So, that's good for us in a way..

Thank you. Our next question comes from Srini Nandury of Summit Redstone. Your question, please..

All right. Thank you for taking my question.

Philippe, regarding your comment on ForeScout and Nevis acquisition, is the solution going to be deployed on premises to monitor IoT devices attached into the network, or it looks like, it'll be certainly a departure from your cloud model, which you have right now?.

No..

And when does the Nevis product come in to the market? Thank you..

So essentially, the way we look at the market, some people will tell you, you have to be agentless. Of course, if you have only an get agentless solution, that's exactly what you will tell, this is the solution. The reality is that you need to – the complexity of the problem is such that you need to have multiple view.

And so we really believe in that, kind of, architecture that we have where we bring three different technologies at scale, which is really the big challenge. One is, of course, the scanning technology, which is agentless, which we have really mastered on one-way scanning billions of IPs per year.

The second one, of course, is that agent technology, which wherever you can put an agent, you have now real-time full visibility. And then now that passive or network analysis, which is also, will give you other information. And it is bringing these three information together that really give you that complete view.

And that's where again Qualys differentiates because to put these – again, you go back to the 250 billion data points indexed on Elasticsearch, on our Elasticsearch cluster. If you bring all this technology, and by the way, with the IOC, with everything we do, we're going to have even more than that. So you need to have a highly scalable back end.

Now in order to have such a scalable backend, you cannot redo that with your traditional Enterprise architecture. You need the cloud architecture.

What is very unique with Qualys is that because of the requirement of some of our customers, like Oracle was the first private cloud for Qualys and now, of course, Microsoft, Amazon and many other very, very large environment, they want that on premise.

And because they want the architecture, but they want it on premise because you cannot really secure a cloud from the outside, from another cloud, or at least, you are limited. So, you want to secure the cloud from inside the cloud.

But then, you need to have the same architecture as the cloud to secure it, and that's what Qualys has a unique difference. We have been doing that, we have today more than 50 platforms, private cloud installed in the world, in large corporations with now a smaller version, (54:02) version of our private cloud.

And that's what we start shipping in quite a good quantity. So for us, there's no differentiation between private and public cloud. It's the same architecture that we can deliver as customer needs and requires it. So, that's the big challenge and the big opportunity for us.

So, we are moving, definitely to answer your question on offering a much broader solution essentially that you see from the ForeScout and others, and the Nevis acquisition is a piece of it.

And we anticipate today, if you go to our investor presentation, there's a category now that we call Secure Access Control, which is a response to threats automatically by controlling access to critical resources. And that's what that Nevis acquisition will be in part there, that we're anticipating today to be on the release of Q3 2018..

Which should be the target beta date?.

Which is the target beta date, then we will try to do better..

Thank you. Our next question comes from Siti Panigrahi of Wells Fargo Your line is open..

Most of my questions have been answered. But Philippe just wanted to dig a little bit into the competitive landscape.

Are you seeing anything different from your competitors, mainly Rapid7, Tenable, (55:31), any changes that you're seeing there?.

I think as I mentioned earlier, I mean, the strategy of Rapid7 is becoming very clear today for everybody, is that they are really focusing on creating an analytics platform. That's what they're doing more and more through the acquisitions, so this is their inside DR (55:52). So that, of course, that's for them to execute on that strategy.

And so that's what we see, we see them in that sense not as much as a competitor as they used to be. And as far as Tenable, the jury is out, as far as I'm concerned, because on one hand, they were so against the cloud. Most of the – a big chunk of their business is Federal.

So, they have now today their old enterprise architecture, now they got the new AWS Architecture. So, of course, there's a lot of work that they've got to do to essentially come up with a really true competing solution to Qualys on the AWS platform.

And on top of that, the AWS platform, albeit, shortened your deployment because, of course, you don't have to be in the lot of things that they have. On the other hand, you cannot deliver, really, AWS on premise. So, they will have – if they want to do that, they will have to rebuild all of that. So, I'm just looking at what they do.

They make a lot of claims, but so far, I see them with significant engineering challenge ahead of them..

Thank you. Our final question comes from the line of Melissa Franchi of Morgan Stanley. Your line is open..

Great. Thank you for squeezing me in. Philippe, I was wondering if you could just comment on the health of your MSSP business. I know that you have a number of relationships. And I think at the beginning of the year, you also expanded your relationship with IBM.

So just wondering if you have any – if there's any change in the overall view and if that's becoming a more strategic channel for you?.

So that's a good question. So, our business with MSSP is doing fine. What I see really happening is that there is going to be a race for new MSSP generation because the existing generation, they have built their own thing and they have to retool as well.

Like we did, if we go back to Qualys four years ago, we realized that we needed to absolutely inject new technology. We have just finished the virtualization of our entire platform. But now everything that we do, we containerize it. So just to tell you, technology moves so fast.

So once technology moves fast like that, it gives opportunities, and that's what we see with companies like Ernst & Young and others trying to really come with a different – with a newer architecture to compete against the existing, more established MSSPs. So the race is on.

And for us, quite frankly, we are more the Swiss Army here or the Swiss – for us, we have a platform that people can leverage. We are very easy to integrate in this environment, obviously, because we've got the right architecture. So we see them as a, kind of, more opportunity for us..

Thank you. At this time, I'd like to turn the call back over to Joo Mi Kim for any closing remarks.

Ma'am?.

Thank you. And thank you all for attending our Third Quarter 2017 Earnings Call. We look forward to seeing many of you in November at the Stifel 1x1 Growth Conference in Chicago and UBS Global Technology Conference in San Francisco..

Thank you..

Thank you..

And good, Halloween. I don't know how you say that in English..

Happy Halloween..

Happy Halloween, okay, to all of you..

Ladies and gentlemen, this concludes today's conference. Thank you for your participation, and have a wonderful day..